2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netfilter.h>
18 #include <linux/netfilter/nfnetlink.h>
19 #include <linux/netfilter/nf_tables.h>
20 #include <net/netfilter/nf_flow_table.h>
21 #include <net/netfilter/nf_tables_core.h>
22 #include <net/netfilter/nf_tables.h>
23 #include <net/net_namespace.h>
26 static LIST_HEAD(nf_tables_expressions);
27 static LIST_HEAD(nf_tables_objects);
28 static LIST_HEAD(nf_tables_flowtables);
29 static u64 table_handle;
32 NFT_VALIDATE_SKIP = 0,
37 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
38 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
39 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
41 static const struct rhashtable_params nft_chain_ht_params = {
42 .head_offset = offsetof(struct nft_chain, rhlhead),
43 .key_offset = offsetof(struct nft_chain, name),
44 .hashfn = nft_chain_hash,
45 .obj_hashfn = nft_chain_hash_obj,
46 .obj_cmpfn = nft_chain_hash_cmp,
48 .automatic_shrinking = true,
51 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
53 switch (net->nft.validate_state) {
54 case NFT_VALIDATE_SKIP:
55 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
57 case NFT_VALIDATE_NEED:
60 if (new_validate_state == NFT_VALIDATE_NEED)
64 net->nft.validate_state = new_validate_state;
67 static void nft_ctx_init(struct nft_ctx *ctx,
69 const struct sk_buff *skb,
70 const struct nlmsghdr *nlh,
72 struct nft_table *table,
73 struct nft_chain *chain,
74 const struct nlattr * const *nla)
81 ctx->portid = NETLINK_CB(skb).portid;
82 ctx->report = nlmsg_report(nlh);
83 ctx->seq = nlh->nlmsg_seq;
86 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
87 int msg_type, u32 size, gfp_t gfp)
89 struct nft_trans *trans;
91 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
95 trans->msg_type = msg_type;
101 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
102 int msg_type, u32 size)
104 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
107 static void nft_trans_destroy(struct nft_trans *trans)
109 list_del(&trans->list);
113 static int nf_tables_register_hook(struct net *net,
114 const struct nft_table *table,
115 struct nft_chain *chain)
117 const struct nft_base_chain *basechain;
118 const struct nf_hook_ops *ops;
120 if (table->flags & NFT_TABLE_F_DORMANT ||
121 !nft_is_base_chain(chain))
124 basechain = nft_base_chain(chain);
125 ops = &basechain->ops;
127 if (basechain->type->ops_register)
128 return basechain->type->ops_register(net, ops);
130 return nf_register_net_hook(net, ops);
133 static void nf_tables_unregister_hook(struct net *net,
134 const struct nft_table *table,
135 struct nft_chain *chain)
137 const struct nft_base_chain *basechain;
138 const struct nf_hook_ops *ops;
140 if (table->flags & NFT_TABLE_F_DORMANT ||
141 !nft_is_base_chain(chain))
143 basechain = nft_base_chain(chain);
144 ops = &basechain->ops;
146 if (basechain->type->ops_unregister)
147 return basechain->type->ops_unregister(net, ops);
149 nf_unregister_net_hook(net, ops);
152 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
154 struct nft_trans *trans;
156 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
160 if (msg_type == NFT_MSG_NEWTABLE)
161 nft_activate_next(ctx->net, ctx->table);
163 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
167 static int nft_deltable(struct nft_ctx *ctx)
171 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
175 nft_deactivate_next(ctx->net, ctx->table);
179 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
181 struct nft_trans *trans;
183 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
187 if (msg_type == NFT_MSG_NEWCHAIN)
188 nft_activate_next(ctx->net, ctx->chain);
190 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
194 static int nft_delchain(struct nft_ctx *ctx)
198 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
203 nft_deactivate_next(ctx->net, ctx->chain);
208 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
209 struct nft_rule *rule)
211 struct nft_expr *expr;
213 expr = nft_expr_first(rule);
214 while (expr != nft_expr_last(rule) && expr->ops) {
215 if (expr->ops->activate)
216 expr->ops->activate(ctx, expr);
218 expr = nft_expr_next(expr);
222 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
223 struct nft_rule *rule)
225 struct nft_expr *expr;
227 expr = nft_expr_first(rule);
228 while (expr != nft_expr_last(rule) && expr->ops) {
229 if (expr->ops->deactivate)
230 expr->ops->deactivate(ctx, expr);
232 expr = nft_expr_next(expr);
237 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
239 /* You cannot delete the same rule twice */
240 if (nft_is_active_next(ctx->net, rule)) {
241 nft_deactivate_next(ctx->net, rule);
248 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
249 struct nft_rule *rule)
251 struct nft_trans *trans;
253 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
257 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
258 nft_trans_rule_id(trans) =
259 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
261 nft_trans_rule(trans) = rule;
262 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
267 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
269 struct nft_trans *trans;
272 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
276 err = nf_tables_delrule_deactivate(ctx, rule);
278 nft_trans_destroy(trans);
281 nft_rule_expr_deactivate(ctx, rule);
286 static int nft_delrule_by_chain(struct nft_ctx *ctx)
288 struct nft_rule *rule;
291 list_for_each_entry(rule, &ctx->chain->rules, list) {
292 err = nft_delrule(ctx, rule);
299 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
302 struct nft_trans *trans;
304 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
308 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
309 nft_trans_set_id(trans) =
310 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
311 nft_activate_next(ctx->net, set);
313 nft_trans_set(trans) = set;
314 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
319 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
323 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
327 nft_deactivate_next(ctx->net, set);
333 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
334 struct nft_object *obj)
336 struct nft_trans *trans;
338 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
342 if (msg_type == NFT_MSG_NEWOBJ)
343 nft_activate_next(ctx->net, obj);
345 nft_trans_obj(trans) = obj;
346 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
351 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
355 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
359 nft_deactivate_next(ctx->net, obj);
365 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
366 struct nft_flowtable *flowtable)
368 struct nft_trans *trans;
370 trans = nft_trans_alloc(ctx, msg_type,
371 sizeof(struct nft_trans_flowtable));
375 if (msg_type == NFT_MSG_NEWFLOWTABLE)
376 nft_activate_next(ctx->net, flowtable);
378 nft_trans_flowtable(trans) = flowtable;
379 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
384 static int nft_delflowtable(struct nft_ctx *ctx,
385 struct nft_flowtable *flowtable)
389 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
393 nft_deactivate_next(ctx->net, flowtable);
403 static struct nft_table *nft_table_lookup(const struct net *net,
404 const struct nlattr *nla,
405 u8 family, u8 genmask)
407 struct nft_table *table;
410 return ERR_PTR(-EINVAL);
412 list_for_each_entry_rcu(table, &net->nft.tables, list) {
413 if (!nla_strcmp(nla, table->name) &&
414 table->family == family &&
415 nft_active_genmask(table, genmask))
419 return ERR_PTR(-ENOENT);
422 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
423 const struct nlattr *nla,
426 struct nft_table *table;
428 list_for_each_entry(table, &net->nft.tables, list) {
429 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
430 nft_active_genmask(table, genmask))
434 return ERR_PTR(-ENOENT);
437 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
439 return ++table->hgenerator;
442 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
444 static const struct nft_chain_type *
445 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
449 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
450 if (chain_type[family][i] != NULL &&
451 !nla_strcmp(nla, chain_type[family][i]->name))
452 return chain_type[family][i];
457 static const struct nft_chain_type *
458 nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family, bool autoload)
460 const struct nft_chain_type *type;
462 type = __nf_tables_chain_type_lookup(nla, family);
465 #ifdef CONFIG_MODULES
467 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
468 request_module("nft-chain-%u-%.*s", family,
469 nla_len(nla), (const char *)nla_data(nla));
470 nfnl_lock(NFNL_SUBSYS_NFTABLES);
471 type = __nf_tables_chain_type_lookup(nla, family);
473 return ERR_PTR(-EAGAIN);
476 return ERR_PTR(-ENOENT);
479 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
480 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
481 .len = NFT_TABLE_MAXNAMELEN - 1 },
482 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
483 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
486 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
487 u32 portid, u32 seq, int event, u32 flags,
488 int family, const struct nft_table *table)
490 struct nlmsghdr *nlh;
491 struct nfgenmsg *nfmsg;
493 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
494 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
496 goto nla_put_failure;
498 nfmsg = nlmsg_data(nlh);
499 nfmsg->nfgen_family = family;
500 nfmsg->version = NFNETLINK_V0;
501 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
503 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
504 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
505 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
506 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
508 goto nla_put_failure;
514 nlmsg_trim(skb, nlh);
518 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
524 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
527 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
531 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
532 event, 0, ctx->family, ctx->table);
538 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
539 ctx->report, GFP_KERNEL);
542 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
545 static int nf_tables_dump_tables(struct sk_buff *skb,
546 struct netlink_callback *cb)
548 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
549 const struct nft_table *table;
550 unsigned int idx = 0, s_idx = cb->args[0];
551 struct net *net = sock_net(skb->sk);
552 int family = nfmsg->nfgen_family;
555 cb->seq = net->nft.base_seq;
557 list_for_each_entry_rcu(table, &net->nft.tables, list) {
558 if (family != NFPROTO_UNSPEC && family != table->family)
564 memset(&cb->args[1], 0,
565 sizeof(cb->args) - sizeof(cb->args[0]));
566 if (!nft_is_active(net, table))
568 if (nf_tables_fill_table_info(skb, net,
569 NETLINK_CB(cb->skb).portid,
571 NFT_MSG_NEWTABLE, NLM_F_MULTI,
572 table->family, table) < 0)
575 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
585 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
586 const struct nlmsghdr *nlh,
587 struct netlink_dump_control *c)
591 if (!try_module_get(THIS_MODULE))
595 err = netlink_dump_start(nlsk, skb, nlh, c);
597 module_put(THIS_MODULE);
602 /* called with rcu_read_lock held */
603 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
604 struct sk_buff *skb, const struct nlmsghdr *nlh,
605 const struct nlattr * const nla[],
606 struct netlink_ext_ack *extack)
608 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
609 u8 genmask = nft_genmask_cur(net);
610 const struct nft_table *table;
611 struct sk_buff *skb2;
612 int family = nfmsg->nfgen_family;
615 if (nlh->nlmsg_flags & NLM_F_DUMP) {
616 struct netlink_dump_control c = {
617 .dump = nf_tables_dump_tables,
618 .module = THIS_MODULE,
621 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
624 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
626 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
627 return PTR_ERR(table);
630 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
634 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
635 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
640 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
647 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
649 struct nft_chain *chain;
652 list_for_each_entry(chain, &table->chains, list) {
653 if (!nft_is_active_next(net, chain))
655 if (!nft_is_base_chain(chain))
658 if (cnt && i++ == cnt)
661 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
665 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
667 struct nft_chain *chain;
670 list_for_each_entry(chain, &table->chains, list) {
671 if (!nft_is_active_next(net, chain))
673 if (!nft_is_base_chain(chain))
676 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
685 nft_table_disable(net, table, i);
689 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
691 nft_table_disable(net, table, 0);
694 static int nf_tables_updtable(struct nft_ctx *ctx)
696 struct nft_trans *trans;
700 if (!ctx->nla[NFTA_TABLE_FLAGS])
703 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
704 if (flags & ~NFT_TABLE_F_DORMANT)
707 if (flags == ctx->table->flags)
710 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
711 sizeof(struct nft_trans_table));
715 if ((flags & NFT_TABLE_F_DORMANT) &&
716 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
717 nft_trans_table_enable(trans) = false;
718 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
719 ctx->table->flags & NFT_TABLE_F_DORMANT) {
720 ret = nf_tables_table_enable(ctx->net, ctx->table);
722 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
723 nft_trans_table_enable(trans) = true;
729 nft_trans_table_update(trans) = true;
730 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
733 nft_trans_destroy(trans);
737 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
739 const char *name = data;
741 return jhash(name, strlen(name), seed);
744 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
746 const struct nft_chain *chain = data;
748 return nft_chain_hash(chain->name, 0, seed);
751 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
754 const struct nft_chain *chain = ptr;
755 const char *name = arg->key;
757 return strcmp(chain->name, name);
760 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
761 struct sk_buff *skb, const struct nlmsghdr *nlh,
762 const struct nlattr * const nla[],
763 struct netlink_ext_ack *extack)
765 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
766 u8 genmask = nft_genmask_next(net);
767 int family = nfmsg->nfgen_family;
768 const struct nlattr *attr;
769 struct nft_table *table;
774 attr = nla[NFTA_TABLE_NAME];
775 table = nft_table_lookup(net, attr, family, genmask);
777 if (PTR_ERR(table) != -ENOENT)
778 return PTR_ERR(table);
780 if (nlh->nlmsg_flags & NLM_F_EXCL) {
781 NL_SET_BAD_ATTR(extack, attr);
784 if (nlh->nlmsg_flags & NLM_F_REPLACE)
787 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
788 return nf_tables_updtable(&ctx);
791 if (nla[NFTA_TABLE_FLAGS]) {
792 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
793 if (flags & ~NFT_TABLE_F_DORMANT)
798 table = kzalloc(sizeof(*table), GFP_KERNEL);
802 table->name = nla_strdup(attr, GFP_KERNEL);
803 if (table->name == NULL)
806 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
810 INIT_LIST_HEAD(&table->chains);
811 INIT_LIST_HEAD(&table->sets);
812 INIT_LIST_HEAD(&table->objects);
813 INIT_LIST_HEAD(&table->flowtables);
814 table->family = family;
815 table->flags = flags;
816 table->handle = ++table_handle;
818 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
819 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
823 list_add_tail_rcu(&table->list, &net->nft.tables);
826 rhltable_destroy(&table->chains_ht);
835 static int nft_flush_table(struct nft_ctx *ctx)
837 struct nft_flowtable *flowtable, *nft;
838 struct nft_chain *chain, *nc;
839 struct nft_object *obj, *ne;
840 struct nft_set *set, *ns;
843 list_for_each_entry(chain, &ctx->table->chains, list) {
844 if (!nft_is_active_next(ctx->net, chain))
849 err = nft_delrule_by_chain(ctx);
854 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
855 if (!nft_is_active_next(ctx->net, set))
858 if (nft_set_is_anonymous(set) &&
859 !list_empty(&set->bindings))
862 err = nft_delset(ctx, set);
867 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
868 err = nft_delflowtable(ctx, flowtable);
873 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
874 err = nft_delobj(ctx, obj);
879 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
880 if (!nft_is_active_next(ctx->net, chain))
885 err = nft_delchain(ctx);
890 err = nft_deltable(ctx);
895 static int nft_flush(struct nft_ctx *ctx, int family)
897 struct nft_table *table, *nt;
898 const struct nlattr * const *nla = ctx->nla;
901 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
902 if (family != AF_UNSPEC && table->family != family)
905 ctx->family = table->family;
907 if (!nft_is_active_next(ctx->net, table))
910 if (nla[NFTA_TABLE_NAME] &&
911 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
916 err = nft_flush_table(ctx);
924 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
925 struct sk_buff *skb, const struct nlmsghdr *nlh,
926 const struct nlattr * const nla[],
927 struct netlink_ext_ack *extack)
929 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
930 u8 genmask = nft_genmask_next(net);
931 int family = nfmsg->nfgen_family;
932 const struct nlattr *attr;
933 struct nft_table *table;
936 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
937 if (family == AF_UNSPEC ||
938 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
939 return nft_flush(&ctx, family);
941 if (nla[NFTA_TABLE_HANDLE]) {
942 attr = nla[NFTA_TABLE_HANDLE];
943 table = nft_table_lookup_byhandle(net, attr, genmask);
945 attr = nla[NFTA_TABLE_NAME];
946 table = nft_table_lookup(net, attr, family, genmask);
950 NL_SET_BAD_ATTR(extack, attr);
951 return PTR_ERR(table);
954 if (nlh->nlmsg_flags & NLM_F_NONREC &&
961 return nft_flush_table(&ctx);
964 static void nf_tables_table_destroy(struct nft_ctx *ctx)
966 BUG_ON(ctx->table->use > 0);
968 rhltable_destroy(&ctx->table->chains_ht);
969 kfree(ctx->table->name);
973 void nft_register_chain_type(const struct nft_chain_type *ctype)
975 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
978 nfnl_lock(NFNL_SUBSYS_NFTABLES);
979 if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
980 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
983 chain_type[ctype->family][ctype->type] = ctype;
984 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
986 EXPORT_SYMBOL_GPL(nft_register_chain_type);
988 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
990 nfnl_lock(NFNL_SUBSYS_NFTABLES);
991 chain_type[ctype->family][ctype->type] = NULL;
992 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
994 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1000 static struct nft_chain *
1001 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1003 struct nft_chain *chain;
1005 list_for_each_entry(chain, &table->chains, list) {
1006 if (chain->handle == handle &&
1007 nft_active_genmask(chain, genmask))
1011 return ERR_PTR(-ENOENT);
1014 static struct nft_chain *nft_chain_lookup(struct nft_table *table,
1015 const struct nlattr *nla, u8 genmask)
1017 char search[NFT_CHAIN_MAXNAMELEN + 1];
1018 struct rhlist_head *tmp, *list;
1019 struct nft_chain *chain;
1022 return ERR_PTR(-EINVAL);
1024 nla_strlcpy(search, nla, sizeof(search));
1026 WARN_ON(!rcu_read_lock_held() &&
1027 !lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
1029 chain = ERR_PTR(-ENOENT);
1031 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1035 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1036 if (nft_active_genmask(chain, genmask))
1039 chain = ERR_PTR(-ENOENT);
1045 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1046 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1047 .len = NFT_TABLE_MAXNAMELEN - 1 },
1048 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1049 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1050 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1051 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1052 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1053 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
1054 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1057 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1058 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1059 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1060 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1061 .len = IFNAMSIZ - 1 },
1064 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1066 struct nft_stats *cpu_stats, total;
1067 struct nlattr *nest;
1072 memset(&total, 0, sizeof(total));
1073 for_each_possible_cpu(cpu) {
1074 cpu_stats = per_cpu_ptr(stats, cpu);
1076 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1077 pkts = cpu_stats->pkts;
1078 bytes = cpu_stats->bytes;
1079 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1081 total.bytes += bytes;
1083 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
1085 goto nla_put_failure;
1087 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1088 NFTA_COUNTER_PAD) ||
1089 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1091 goto nla_put_failure;
1093 nla_nest_end(skb, nest);
1100 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1101 u32 portid, u32 seq, int event, u32 flags,
1102 int family, const struct nft_table *table,
1103 const struct nft_chain *chain)
1105 struct nlmsghdr *nlh;
1106 struct nfgenmsg *nfmsg;
1108 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1109 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1111 goto nla_put_failure;
1113 nfmsg = nlmsg_data(nlh);
1114 nfmsg->nfgen_family = family;
1115 nfmsg->version = NFNETLINK_V0;
1116 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1118 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1119 goto nla_put_failure;
1120 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1122 goto nla_put_failure;
1123 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1124 goto nla_put_failure;
1126 if (nft_is_base_chain(chain)) {
1127 const struct nft_base_chain *basechain = nft_base_chain(chain);
1128 const struct nf_hook_ops *ops = &basechain->ops;
1129 struct nlattr *nest;
1131 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1133 goto nla_put_failure;
1134 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1135 goto nla_put_failure;
1136 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1137 goto nla_put_failure;
1138 if (basechain->dev_name[0] &&
1139 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1140 goto nla_put_failure;
1141 nla_nest_end(skb, nest);
1143 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1144 htonl(basechain->policy)))
1145 goto nla_put_failure;
1147 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1148 goto nla_put_failure;
1150 if (basechain->stats && nft_dump_stats(skb, basechain->stats))
1151 goto nla_put_failure;
1154 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1155 goto nla_put_failure;
1157 nlmsg_end(skb, nlh);
1161 nlmsg_trim(skb, nlh);
1165 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1167 struct sk_buff *skb;
1171 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1174 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1178 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1179 event, 0, ctx->family, ctx->table,
1186 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1187 ctx->report, GFP_KERNEL);
1190 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1193 static int nf_tables_dump_chains(struct sk_buff *skb,
1194 struct netlink_callback *cb)
1196 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1197 const struct nft_table *table;
1198 const struct nft_chain *chain;
1199 unsigned int idx = 0, s_idx = cb->args[0];
1200 struct net *net = sock_net(skb->sk);
1201 int family = nfmsg->nfgen_family;
1204 cb->seq = net->nft.base_seq;
1206 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1207 if (family != NFPROTO_UNSPEC && family != table->family)
1210 list_for_each_entry_rcu(chain, &table->chains, list) {
1214 memset(&cb->args[1], 0,
1215 sizeof(cb->args) - sizeof(cb->args[0]));
1216 if (!nft_is_active(net, chain))
1218 if (nf_tables_fill_chain_info(skb, net,
1219 NETLINK_CB(cb->skb).portid,
1223 table->family, table,
1227 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1238 /* called with rcu_read_lock held */
1239 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1240 struct sk_buff *skb, const struct nlmsghdr *nlh,
1241 const struct nlattr * const nla[],
1242 struct netlink_ext_ack *extack)
1244 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1245 u8 genmask = nft_genmask_cur(net);
1246 const struct nft_chain *chain;
1247 struct nft_table *table;
1248 struct sk_buff *skb2;
1249 int family = nfmsg->nfgen_family;
1252 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1253 struct netlink_dump_control c = {
1254 .dump = nf_tables_dump_chains,
1255 .module = THIS_MODULE,
1258 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1261 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1262 if (IS_ERR(table)) {
1263 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1264 return PTR_ERR(table);
1267 chain = nft_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1268 if (IS_ERR(chain)) {
1269 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1270 return PTR_ERR(chain);
1273 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1277 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1278 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1279 family, table, chain);
1283 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1290 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1291 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1292 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1295 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1297 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1298 struct nft_stats __percpu *newstats;
1299 struct nft_stats *stats;
1302 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1305 return ERR_PTR(err);
1307 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1308 return ERR_PTR(-EINVAL);
1310 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1311 if (newstats == NULL)
1312 return ERR_PTR(-ENOMEM);
1314 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1315 * are not exposed to userspace.
1318 stats = this_cpu_ptr(newstats);
1319 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1320 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1326 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1327 struct nft_stats __percpu *newstats)
1329 struct nft_stats __percpu *oldstats;
1331 if (newstats == NULL)
1335 oldstats = nfnl_dereference(chain->stats, NFNL_SUBSYS_NFTABLES);
1336 rcu_assign_pointer(chain->stats, newstats);
1338 free_percpu(oldstats);
1340 rcu_assign_pointer(chain->stats, newstats);
1341 static_branch_inc(&nft_counters_enabled);
1345 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1347 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1348 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1354 /* should be NULL either via abort or via successful commit */
1355 WARN_ON_ONCE(chain->rules_next);
1356 kvfree(chain->rules_next);
1359 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1361 struct nft_chain *chain = ctx->chain;
1363 BUG_ON(chain->use > 0);
1365 /* no concurrent access possible anymore */
1366 nf_tables_chain_free_chain_rules(chain);
1368 if (nft_is_base_chain(chain)) {
1369 struct nft_base_chain *basechain = nft_base_chain(chain);
1371 module_put(basechain->type->owner);
1372 free_percpu(basechain->stats);
1373 if (basechain->stats)
1374 static_branch_dec(&nft_counters_enabled);
1383 struct nft_chain_hook {
1386 const struct nft_chain_type *type;
1387 struct net_device *dev;
1390 static int nft_chain_parse_hook(struct net *net,
1391 const struct nlattr * const nla[],
1392 struct nft_chain_hook *hook, u8 family,
1395 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1396 const struct nft_chain_type *type;
1397 struct net_device *dev;
1400 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1401 nft_hook_policy, NULL);
1405 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1406 ha[NFTA_HOOK_PRIORITY] == NULL)
1409 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1410 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1412 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1413 if (nla[NFTA_CHAIN_TYPE]) {
1414 type = nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
1417 return PTR_ERR(type);
1419 if (!(type->hook_mask & (1 << hook->num)))
1422 if (type->type == NFT_CHAIN_T_NAT &&
1423 hook->priority <= NF_IP_PRI_CONNTRACK)
1426 if (!try_module_get(type->owner))
1432 if (family == NFPROTO_NETDEV) {
1433 char ifname[IFNAMSIZ];
1435 if (!ha[NFTA_HOOK_DEV]) {
1436 module_put(type->owner);
1440 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1441 dev = __dev_get_by_name(net, ifname);
1443 module_put(type->owner);
1447 } else if (ha[NFTA_HOOK_DEV]) {
1448 module_put(type->owner);
1455 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1457 module_put(hook->type->owner);
1460 struct nft_rules_old {
1462 struct nft_rule **start;
1465 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1468 if (alloc > INT_MAX)
1471 alloc += 1; /* NULL, ends rules */
1472 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1475 alloc *= sizeof(struct nft_rule *);
1476 alloc += sizeof(struct nft_rules_old);
1478 return kvmalloc(alloc, GFP_KERNEL);
1481 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1482 u8 policy, bool create)
1484 const struct nlattr * const *nla = ctx->nla;
1485 struct nft_table *table = ctx->table;
1486 struct nft_base_chain *basechain;
1487 struct nft_stats __percpu *stats;
1488 struct net *net = ctx->net;
1489 struct nft_chain *chain;
1490 struct nft_rule **rules;
1493 if (table->use == UINT_MAX)
1496 if (nla[NFTA_CHAIN_HOOK]) {
1497 struct nft_chain_hook hook;
1498 struct nf_hook_ops *ops;
1500 err = nft_chain_parse_hook(net, nla, &hook, family, create);
1504 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1505 if (basechain == NULL) {
1506 nft_chain_release_hook(&hook);
1510 if (hook.dev != NULL)
1511 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1513 if (nla[NFTA_CHAIN_COUNTERS]) {
1514 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1515 if (IS_ERR(stats)) {
1516 nft_chain_release_hook(&hook);
1518 return PTR_ERR(stats);
1520 basechain->stats = stats;
1521 static_branch_inc(&nft_counters_enabled);
1524 basechain->type = hook.type;
1525 chain = &basechain->chain;
1527 ops = &basechain->ops;
1529 ops->hooknum = hook.num;
1530 ops->priority = hook.priority;
1532 ops->hook = hook.type->hooks[ops->hooknum];
1533 ops->dev = hook.dev;
1535 chain->flags |= NFT_BASE_CHAIN;
1536 basechain->policy = policy;
1538 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1544 INIT_LIST_HEAD(&chain->rules);
1545 chain->handle = nf_tables_alloc_handle(table);
1546 chain->table = table;
1547 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1553 rules = nf_tables_chain_alloc_rules(chain, 0);
1560 rcu_assign_pointer(chain->rules_gen_0, rules);
1561 rcu_assign_pointer(chain->rules_gen_1, rules);
1563 err = nf_tables_register_hook(net, table, chain);
1567 err = rhltable_insert_key(&table->chains_ht, chain->name,
1568 &chain->rhlhead, nft_chain_ht_params);
1572 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1574 rhltable_remove(&table->chains_ht, &chain->rhlhead,
1575 nft_chain_ht_params);
1580 list_add_tail_rcu(&chain->list, &table->chains);
1584 nf_tables_unregister_hook(net, table, chain);
1586 nf_tables_chain_destroy(ctx);
1591 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1594 const struct nlattr * const *nla = ctx->nla;
1595 struct nft_table *table = ctx->table;
1596 struct nft_chain *chain = ctx->chain;
1597 struct nft_base_chain *basechain;
1598 struct nft_stats *stats = NULL;
1599 struct nft_chain_hook hook;
1600 const struct nlattr *name;
1601 struct nf_hook_ops *ops;
1602 struct nft_trans *trans;
1605 if (nla[NFTA_CHAIN_HOOK]) {
1606 if (!nft_is_base_chain(chain))
1609 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
1614 basechain = nft_base_chain(chain);
1615 if (basechain->type != hook.type) {
1616 nft_chain_release_hook(&hook);
1620 ops = &basechain->ops;
1621 if (ops->hooknum != hook.num ||
1622 ops->priority != hook.priority ||
1623 ops->dev != hook.dev) {
1624 nft_chain_release_hook(&hook);
1627 nft_chain_release_hook(&hook);
1630 if (nla[NFTA_CHAIN_HANDLE] &&
1631 nla[NFTA_CHAIN_NAME]) {
1632 struct nft_chain *chain2;
1634 chain2 = nft_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1635 if (!IS_ERR(chain2))
1639 if (nla[NFTA_CHAIN_COUNTERS]) {
1640 if (!nft_is_base_chain(chain))
1643 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1645 return PTR_ERR(stats);
1648 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1649 sizeof(struct nft_trans_chain));
1650 if (trans == NULL) {
1655 nft_trans_chain_stats(trans) = stats;
1656 nft_trans_chain_update(trans) = true;
1658 if (nla[NFTA_CHAIN_POLICY])
1659 nft_trans_chain_policy(trans) = policy;
1661 nft_trans_chain_policy(trans) = -1;
1663 name = nla[NFTA_CHAIN_NAME];
1664 if (nla[NFTA_CHAIN_HANDLE] && name) {
1665 nft_trans_chain_name(trans) =
1666 nla_strdup(name, GFP_KERNEL);
1667 if (!nft_trans_chain_name(trans)) {
1673 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1678 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1679 struct sk_buff *skb, const struct nlmsghdr *nlh,
1680 const struct nlattr * const nla[],
1681 struct netlink_ext_ack *extack)
1683 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1684 u8 genmask = nft_genmask_next(net);
1685 int family = nfmsg->nfgen_family;
1686 const struct nlattr *attr;
1687 struct nft_table *table;
1688 struct nft_chain *chain;
1689 u8 policy = NF_ACCEPT;
1694 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1696 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1697 if (IS_ERR(table)) {
1698 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1699 return PTR_ERR(table);
1703 attr = nla[NFTA_CHAIN_NAME];
1705 if (nla[NFTA_CHAIN_HANDLE]) {
1706 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1707 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1708 if (IS_ERR(chain)) {
1709 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
1710 return PTR_ERR(chain);
1712 attr = nla[NFTA_CHAIN_HANDLE];
1714 chain = nft_chain_lookup(table, attr, genmask);
1715 if (IS_ERR(chain)) {
1716 if (PTR_ERR(chain) != -ENOENT) {
1717 NL_SET_BAD_ATTR(extack, attr);
1718 return PTR_ERR(chain);
1724 if (nla[NFTA_CHAIN_POLICY]) {
1725 if (chain != NULL &&
1726 !nft_is_base_chain(chain)) {
1727 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1731 if (chain == NULL &&
1732 nla[NFTA_CHAIN_HOOK] == NULL) {
1733 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1737 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1747 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1749 if (chain != NULL) {
1750 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1751 NL_SET_BAD_ATTR(extack, attr);
1754 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1757 return nf_tables_updchain(&ctx, genmask, policy, create);
1760 return nf_tables_addchain(&ctx, family, genmask, policy, create);
1763 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1764 struct sk_buff *skb, const struct nlmsghdr *nlh,
1765 const struct nlattr * const nla[],
1766 struct netlink_ext_ack *extack)
1768 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1769 u8 genmask = nft_genmask_next(net);
1770 int family = nfmsg->nfgen_family;
1771 const struct nlattr *attr;
1772 struct nft_table *table;
1773 struct nft_chain *chain;
1774 struct nft_rule *rule;
1780 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1781 if (IS_ERR(table)) {
1782 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1783 return PTR_ERR(table);
1786 if (nla[NFTA_CHAIN_HANDLE]) {
1787 attr = nla[NFTA_CHAIN_HANDLE];
1788 handle = be64_to_cpu(nla_get_be64(attr));
1789 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1791 attr = nla[NFTA_CHAIN_NAME];
1792 chain = nft_chain_lookup(table, attr, genmask);
1794 if (IS_ERR(chain)) {
1795 NL_SET_BAD_ATTR(extack, attr);
1796 return PTR_ERR(chain);
1799 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1803 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1806 list_for_each_entry(rule, &chain->rules, list) {
1807 if (!nft_is_active_next(net, rule))
1811 err = nft_delrule(&ctx, rule);
1816 /* There are rules and elements that are still holding references to us,
1817 * we cannot do a recursive removal in this case.
1820 NL_SET_BAD_ATTR(extack, attr);
1824 return nft_delchain(&ctx);
1832 * nft_register_expr - register nf_tables expr type
1835 * Registers the expr type for use with nf_tables. Returns zero on
1836 * success or a negative errno code otherwise.
1838 int nft_register_expr(struct nft_expr_type *type)
1840 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1841 if (type->family == NFPROTO_UNSPEC)
1842 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1844 list_add_rcu(&type->list, &nf_tables_expressions);
1845 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1848 EXPORT_SYMBOL_GPL(nft_register_expr);
1851 * nft_unregister_expr - unregister nf_tables expr type
1854 * Unregisters the expr typefor use with nf_tables.
1856 void nft_unregister_expr(struct nft_expr_type *type)
1858 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1859 list_del_rcu(&type->list);
1860 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1862 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1864 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1867 const struct nft_expr_type *type;
1869 list_for_each_entry(type, &nf_tables_expressions, list) {
1870 if (!nla_strcmp(nla, type->name) &&
1871 (!type->family || type->family == family))
1877 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1880 const struct nft_expr_type *type;
1883 return ERR_PTR(-EINVAL);
1885 type = __nft_expr_type_get(family, nla);
1886 if (type != NULL && try_module_get(type->owner))
1889 #ifdef CONFIG_MODULES
1891 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1892 request_module("nft-expr-%u-%.*s", family,
1893 nla_len(nla), (char *)nla_data(nla));
1894 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1895 if (__nft_expr_type_get(family, nla))
1896 return ERR_PTR(-EAGAIN);
1898 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1899 request_module("nft-expr-%.*s",
1900 nla_len(nla), (char *)nla_data(nla));
1901 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1902 if (__nft_expr_type_get(family, nla))
1903 return ERR_PTR(-EAGAIN);
1906 return ERR_PTR(-ENOENT);
1909 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1910 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1911 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1914 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1915 const struct nft_expr *expr)
1917 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1918 goto nla_put_failure;
1920 if (expr->ops->dump) {
1921 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1923 goto nla_put_failure;
1924 if (expr->ops->dump(skb, expr) < 0)
1925 goto nla_put_failure;
1926 nla_nest_end(skb, data);
1935 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1936 const struct nft_expr *expr)
1938 struct nlattr *nest;
1940 nest = nla_nest_start(skb, attr);
1942 goto nla_put_failure;
1943 if (nf_tables_fill_expr_info(skb, expr) < 0)
1944 goto nla_put_failure;
1945 nla_nest_end(skb, nest);
1952 struct nft_expr_info {
1953 const struct nft_expr_ops *ops;
1954 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1957 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1958 const struct nlattr *nla,
1959 struct nft_expr_info *info)
1961 const struct nft_expr_type *type;
1962 const struct nft_expr_ops *ops;
1963 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1966 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
1970 type = nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
1972 return PTR_ERR(type);
1974 if (tb[NFTA_EXPR_DATA]) {
1975 err = nla_parse_nested(info->tb, type->maxattr,
1976 tb[NFTA_EXPR_DATA], type->policy, NULL);
1980 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1982 if (type->select_ops != NULL) {
1983 ops = type->select_ops(ctx,
1984 (const struct nlattr * const *)info->tb);
1996 module_put(type->owner);
2000 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2001 const struct nft_expr_info *info,
2002 struct nft_expr *expr)
2004 const struct nft_expr_ops *ops = info->ops;
2009 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2020 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2021 struct nft_expr *expr)
2023 if (expr->ops->destroy)
2024 expr->ops->destroy(ctx, expr);
2025 module_put(expr->ops->type->owner);
2028 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2029 const struct nlattr *nla)
2031 struct nft_expr_info info;
2032 struct nft_expr *expr;
2035 err = nf_tables_expr_parse(ctx, nla, &info);
2040 expr = kzalloc(info.ops->size, GFP_KERNEL);
2044 err = nf_tables_newexpr(ctx, &info, expr);
2052 module_put(info.ops->type->owner);
2054 return ERR_PTR(err);
2057 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2059 nf_tables_expr_destroy(ctx, expr);
2067 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2070 struct nft_rule *rule;
2072 // FIXME: this sucks
2073 list_for_each_entry_rcu(rule, &chain->rules, list) {
2074 if (handle == rule->handle)
2078 return ERR_PTR(-ENOENT);
2081 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2082 const struct nlattr *nla)
2085 return ERR_PTR(-EINVAL);
2087 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2090 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2091 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2092 .len = NFT_TABLE_MAXNAMELEN - 1 },
2093 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2094 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2095 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2096 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2097 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2098 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2099 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2100 .len = NFT_USERDATA_MAXLEN },
2101 [NFTA_RULE_ID] = { .type = NLA_U32 },
2104 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2105 u32 portid, u32 seq, int event,
2106 u32 flags, int family,
2107 const struct nft_table *table,
2108 const struct nft_chain *chain,
2109 const struct nft_rule *rule)
2111 struct nlmsghdr *nlh;
2112 struct nfgenmsg *nfmsg;
2113 const struct nft_expr *expr, *next;
2114 struct nlattr *list;
2115 const struct nft_rule *prule;
2116 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2118 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2120 goto nla_put_failure;
2122 nfmsg = nlmsg_data(nlh);
2123 nfmsg->nfgen_family = family;
2124 nfmsg->version = NFNETLINK_V0;
2125 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2127 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2128 goto nla_put_failure;
2129 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2130 goto nla_put_failure;
2131 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2133 goto nla_put_failure;
2135 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
2136 prule = list_prev_entry(rule, list);
2137 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2138 cpu_to_be64(prule->handle),
2140 goto nla_put_failure;
2143 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
2145 goto nla_put_failure;
2146 nft_rule_for_each_expr(expr, next, rule) {
2147 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2148 goto nla_put_failure;
2150 nla_nest_end(skb, list);
2153 struct nft_userdata *udata = nft_userdata(rule);
2154 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2156 goto nla_put_failure;
2159 nlmsg_end(skb, nlh);
2163 nlmsg_trim(skb, nlh);
2167 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2168 const struct nft_rule *rule, int event)
2170 struct sk_buff *skb;
2174 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2177 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2181 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2182 event, 0, ctx->family, ctx->table,
2189 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2190 ctx->report, GFP_KERNEL);
2193 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2196 struct nft_rule_dump_ctx {
2201 static int nf_tables_dump_rules(struct sk_buff *skb,
2202 struct netlink_callback *cb)
2204 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2205 const struct nft_rule_dump_ctx *ctx = cb->data;
2206 const struct nft_table *table;
2207 const struct nft_chain *chain;
2208 const struct nft_rule *rule;
2209 unsigned int idx = 0, s_idx = cb->args[0];
2210 struct net *net = sock_net(skb->sk);
2211 int family = nfmsg->nfgen_family;
2214 cb->seq = net->nft.base_seq;
2216 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2217 if (family != NFPROTO_UNSPEC && family != table->family)
2220 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2223 list_for_each_entry_rcu(chain, &table->chains, list) {
2224 if (ctx && ctx->chain &&
2225 strcmp(ctx->chain, chain->name) != 0)
2228 list_for_each_entry_rcu(rule, &chain->rules, list) {
2229 if (!nft_is_active(net, rule))
2234 memset(&cb->args[1], 0,
2235 sizeof(cb->args) - sizeof(cb->args[0]));
2236 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2239 NLM_F_MULTI | NLM_F_APPEND,
2241 table, chain, rule) < 0)
2244 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2257 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2259 struct nft_rule_dump_ctx *ctx = cb->data;
2269 /* called with rcu_read_lock held */
2270 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2271 struct sk_buff *skb, const struct nlmsghdr *nlh,
2272 const struct nlattr * const nla[],
2273 struct netlink_ext_ack *extack)
2275 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2276 u8 genmask = nft_genmask_cur(net);
2277 const struct nft_chain *chain;
2278 const struct nft_rule *rule;
2279 struct nft_table *table;
2280 struct sk_buff *skb2;
2281 int family = nfmsg->nfgen_family;
2284 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2285 struct netlink_dump_control c = {
2286 .dump = nf_tables_dump_rules,
2287 .done = nf_tables_dump_rules_done,
2288 .module = THIS_MODULE,
2291 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2292 struct nft_rule_dump_ctx *ctx;
2294 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2298 if (nla[NFTA_RULE_TABLE]) {
2299 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2306 if (nla[NFTA_RULE_CHAIN]) {
2307 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2318 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
2321 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2322 if (IS_ERR(table)) {
2323 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2324 return PTR_ERR(table);
2327 chain = nft_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2328 if (IS_ERR(chain)) {
2329 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2330 return PTR_ERR(chain);
2333 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2335 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2336 return PTR_ERR(rule);
2339 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2343 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2344 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2345 family, table, chain, rule);
2349 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2356 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2357 struct nft_rule *rule)
2359 struct nft_expr *expr;
2362 * Careful: some expressions might not be initialized in case this
2363 * is called on error from nf_tables_newrule().
2365 expr = nft_expr_first(rule);
2366 while (expr != nft_expr_last(rule) && expr->ops) {
2367 nf_tables_expr_destroy(ctx, expr);
2368 expr = nft_expr_next(expr);
2373 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2374 struct nft_rule *rule)
2376 nft_rule_expr_deactivate(ctx, rule);
2377 nf_tables_rule_destroy(ctx, rule);
2380 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
2382 struct nft_expr *expr, *last;
2383 const struct nft_data *data;
2384 struct nft_rule *rule;
2387 list_for_each_entry(rule, &chain->rules, list) {
2388 if (!nft_is_active_next(ctx->net, rule))
2391 nft_rule_for_each_expr(expr, last, rule) {
2392 if (!expr->ops->validate)
2395 err = expr->ops->validate(ctx, expr, &data);
2403 EXPORT_SYMBOL_GPL(nft_chain_validate);
2405 static int nft_table_validate(struct net *net, const struct nft_table *table)
2407 struct nft_chain *chain;
2408 struct nft_ctx ctx = {
2410 .family = table->family,
2414 list_for_each_entry(chain, &table->chains, list) {
2415 if (!nft_is_base_chain(chain))
2419 err = nft_chain_validate(&ctx, chain);
2427 #define NFT_RULE_MAXEXPRS 128
2429 static struct nft_expr_info *info;
2431 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2432 struct sk_buff *skb, const struct nlmsghdr *nlh,
2433 const struct nlattr * const nla[],
2434 struct netlink_ext_ack *extack)
2436 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2437 u8 genmask = nft_genmask_next(net);
2438 int family = nfmsg->nfgen_family;
2439 struct nft_table *table;
2440 struct nft_chain *chain;
2441 struct nft_rule *rule, *old_rule = NULL;
2442 struct nft_userdata *udata;
2443 struct nft_trans *trans = NULL;
2444 struct nft_expr *expr;
2447 unsigned int size, i, n, ulen = 0, usize = 0;
2450 u64 handle, pos_handle;
2452 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2454 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2455 if (IS_ERR(table)) {
2456 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2457 return PTR_ERR(table);
2460 chain = nft_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2461 if (IS_ERR(chain)) {
2462 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2463 return PTR_ERR(chain);
2466 if (nla[NFTA_RULE_HANDLE]) {
2467 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2468 rule = __nft_rule_lookup(chain, handle);
2470 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2471 return PTR_ERR(rule);
2474 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2475 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2478 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2483 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2485 handle = nf_tables_alloc_handle(table);
2487 if (chain->use == UINT_MAX)
2491 if (nla[NFTA_RULE_POSITION]) {
2492 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2495 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2496 old_rule = __nft_rule_lookup(chain, pos_handle);
2497 if (IS_ERR(old_rule)) {
2498 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
2499 return PTR_ERR(old_rule);
2503 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2507 if (nla[NFTA_RULE_EXPRESSIONS]) {
2508 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2510 if (nla_type(tmp) != NFTA_LIST_ELEM)
2512 if (n == NFT_RULE_MAXEXPRS)
2514 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2517 size += info[n].ops->size;
2521 /* Check for overflow of dlen field */
2523 if (size >= 1 << 12)
2526 if (nla[NFTA_RULE_USERDATA]) {
2527 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2529 usize = sizeof(struct nft_userdata) + ulen;
2533 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2537 nft_activate_next(net, rule);
2539 rule->handle = handle;
2541 rule->udata = ulen ? 1 : 0;
2544 udata = nft_userdata(rule);
2545 udata->len = ulen - 1;
2546 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2549 expr = nft_expr_first(rule);
2550 for (i = 0; i < n; i++) {
2551 err = nf_tables_newexpr(&ctx, &info[i], expr);
2555 if (info[i].ops->validate)
2556 nft_validate_state_update(net, NFT_VALIDATE_NEED);
2559 expr = nft_expr_next(expr);
2562 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2563 if (!nft_is_active_next(net, old_rule)) {
2567 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2569 if (trans == NULL) {
2573 nft_deactivate_next(net, old_rule);
2576 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2581 list_add_tail_rcu(&rule->list, &old_rule->list);
2583 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2588 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2590 list_add_rcu(&rule->list, &old_rule->list);
2592 list_add_tail_rcu(&rule->list, &chain->rules);
2595 list_add_tail_rcu(&rule->list, &old_rule->list);
2597 list_add_rcu(&rule->list, &chain->rules);
2602 if (net->nft.validate_state == NFT_VALIDATE_DO)
2603 return nft_table_validate(net, table);
2607 nf_tables_rule_release(&ctx, rule);
2609 for (i = 0; i < n; i++) {
2610 if (info[i].ops != NULL)
2611 module_put(info[i].ops->type->owner);
2616 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2617 const struct nlattr *nla)
2619 u32 id = ntohl(nla_get_be32(nla));
2620 struct nft_trans *trans;
2622 list_for_each_entry(trans, &net->nft.commit_list, list) {
2623 struct nft_rule *rule = nft_trans_rule(trans);
2625 if (trans->msg_type == NFT_MSG_NEWRULE &&
2626 id == nft_trans_rule_id(trans))
2629 return ERR_PTR(-ENOENT);
2632 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2633 struct sk_buff *skb, const struct nlmsghdr *nlh,
2634 const struct nlattr * const nla[],
2635 struct netlink_ext_ack *extack)
2637 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2638 u8 genmask = nft_genmask_next(net);
2639 struct nft_table *table;
2640 struct nft_chain *chain = NULL;
2641 struct nft_rule *rule;
2642 int family = nfmsg->nfgen_family, err = 0;
2645 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2646 if (IS_ERR(table)) {
2647 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2648 return PTR_ERR(table);
2651 if (nla[NFTA_RULE_CHAIN]) {
2652 chain = nft_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2653 if (IS_ERR(chain)) {
2654 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2655 return PTR_ERR(chain);
2659 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2662 if (nla[NFTA_RULE_HANDLE]) {
2663 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2665 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2666 return PTR_ERR(rule);
2669 err = nft_delrule(&ctx, rule);
2670 } else if (nla[NFTA_RULE_ID]) {
2671 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2673 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
2674 return PTR_ERR(rule);
2677 err = nft_delrule(&ctx, rule);
2679 err = nft_delrule_by_chain(&ctx);
2682 list_for_each_entry(chain, &table->chains, list) {
2683 if (!nft_is_active_next(net, chain))
2687 err = nft_delrule_by_chain(&ctx);
2700 static LIST_HEAD(nf_tables_set_types);
2702 int nft_register_set(struct nft_set_type *type)
2704 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2705 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2706 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2709 EXPORT_SYMBOL_GPL(nft_register_set);
2711 void nft_unregister_set(struct nft_set_type *type)
2713 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2714 list_del_rcu(&type->list);
2715 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2717 EXPORT_SYMBOL_GPL(nft_unregister_set);
2719 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2720 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
2723 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
2725 return (flags & type->features) == (flags & NFT_SET_FEATURES);
2729 * Select a set implementation based on the data characteristics and the
2730 * given policy. The total memory use might not be known if no size is
2731 * given, in that case the amount of memory per element is used.
2733 static const struct nft_set_ops *
2734 nft_select_set_ops(const struct nft_ctx *ctx,
2735 const struct nlattr * const nla[],
2736 const struct nft_set_desc *desc,
2737 enum nft_set_policies policy)
2739 const struct nft_set_ops *ops, *bops;
2740 struct nft_set_estimate est, best;
2741 const struct nft_set_type *type;
2744 #ifdef CONFIG_MODULES
2745 if (list_empty(&nf_tables_set_types)) {
2746 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2747 request_module("nft-set");
2748 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2749 if (!list_empty(&nf_tables_set_types))
2750 return ERR_PTR(-EAGAIN);
2753 if (nla[NFTA_SET_FLAGS] != NULL)
2754 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2761 list_for_each_entry(type, &nf_tables_set_types, list) {
2764 if (!nft_set_ops_candidate(type, flags))
2766 if (!ops->estimate(desc, flags, &est))
2770 case NFT_SET_POL_PERFORMANCE:
2771 if (est.lookup < best.lookup)
2773 if (est.lookup == best.lookup &&
2774 est.space < best.space)
2777 case NFT_SET_POL_MEMORY:
2779 if (est.space < best.space)
2781 if (est.space == best.space &&
2782 est.lookup < best.lookup)
2784 } else if (est.size < best.size || !bops) {
2792 if (!try_module_get(type->owner))
2795 module_put(to_set_type(bops)->owner);
2804 return ERR_PTR(-EOPNOTSUPP);
2807 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2808 [NFTA_SET_TABLE] = { .type = NLA_STRING,
2809 .len = NFT_TABLE_MAXNAMELEN - 1 },
2810 [NFTA_SET_NAME] = { .type = NLA_STRING,
2811 .len = NFT_SET_MAXNAMELEN - 1 },
2812 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2813 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2814 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2815 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2816 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2817 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2818 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2819 [NFTA_SET_ID] = { .type = NLA_U32 },
2820 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2821 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2822 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2823 .len = NFT_USERDATA_MAXLEN },
2824 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
2825 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
2828 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2829 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2832 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2833 const struct sk_buff *skb,
2834 const struct nlmsghdr *nlh,
2835 const struct nlattr * const nla[],
2836 struct netlink_ext_ack *extack,
2839 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2840 int family = nfmsg->nfgen_family;
2841 struct nft_table *table = NULL;
2843 if (nla[NFTA_SET_TABLE] != NULL) {
2844 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
2846 if (IS_ERR(table)) {
2847 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
2848 return PTR_ERR(table);
2852 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
2856 static struct nft_set *nft_set_lookup(const struct nft_table *table,
2857 const struct nlattr *nla, u8 genmask)
2859 struct nft_set *set;
2862 return ERR_PTR(-EINVAL);
2864 list_for_each_entry_rcu(set, &table->sets, list) {
2865 if (!nla_strcmp(nla, set->name) &&
2866 nft_active_genmask(set, genmask))
2869 return ERR_PTR(-ENOENT);
2872 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
2873 const struct nlattr *nla,
2876 struct nft_set *set;
2878 list_for_each_entry(set, &table->sets, list) {
2879 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
2880 nft_active_genmask(set, genmask))
2883 return ERR_PTR(-ENOENT);
2886 static struct nft_set *nft_set_lookup_byid(const struct net *net,
2887 const struct nlattr *nla, u8 genmask)
2889 struct nft_trans *trans;
2890 u32 id = ntohl(nla_get_be32(nla));
2892 list_for_each_entry(trans, &net->nft.commit_list, list) {
2893 if (trans->msg_type == NFT_MSG_NEWSET) {
2894 struct nft_set *set = nft_trans_set(trans);
2896 if (id == nft_trans_set_id(trans) &&
2897 nft_active_genmask(set, genmask))
2901 return ERR_PTR(-ENOENT);
2904 struct nft_set *nft_set_lookup_global(const struct net *net,
2905 const struct nft_table *table,
2906 const struct nlattr *nla_set_name,
2907 const struct nlattr *nla_set_id,
2910 struct nft_set *set;
2912 set = nft_set_lookup(table, nla_set_name, genmask);
2917 set = nft_set_lookup_byid(net, nla_set_id, genmask);
2921 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
2923 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2926 const struct nft_set *i;
2928 unsigned long *inuse;
2929 unsigned int n = 0, min = 0;
2931 p = strchr(name, '%');
2933 if (p[1] != 'd' || strchr(p + 2, '%'))
2936 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2940 list_for_each_entry(i, &ctx->table->sets, list) {
2943 if (!nft_is_active_next(ctx->net, set))
2945 if (!sscanf(i->name, name, &tmp))
2947 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2950 set_bit(tmp - min, inuse);
2953 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2954 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2955 min += BITS_PER_BYTE * PAGE_SIZE;
2956 memset(inuse, 0, PAGE_SIZE);
2959 free_page((unsigned long)inuse);
2962 set->name = kasprintf(GFP_KERNEL, name, min + n);
2966 list_for_each_entry(i, &ctx->table->sets, list) {
2967 if (!nft_is_active_next(ctx->net, i))
2969 if (!strcmp(set->name, i->name)) {
2977 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
2979 u64 ms = be64_to_cpu(nla_get_be64(nla));
2980 u64 max = (u64)(~((u64)0));
2982 max = div_u64(max, NSEC_PER_MSEC);
2986 ms *= NSEC_PER_MSEC;
2987 *result = nsecs_to_jiffies64(ms);
2991 static __be64 nf_jiffies64_to_msecs(u64 input)
2993 u64 ms = jiffies64_to_nsecs(input);
2995 return cpu_to_be64(div_u64(ms, NSEC_PER_MSEC));
2998 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2999 const struct nft_set *set, u16 event, u16 flags)
3001 struct nfgenmsg *nfmsg;
3002 struct nlmsghdr *nlh;
3003 struct nlattr *desc;
3004 u32 portid = ctx->portid;
3007 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3008 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3011 goto nla_put_failure;
3013 nfmsg = nlmsg_data(nlh);
3014 nfmsg->nfgen_family = ctx->family;
3015 nfmsg->version = NFNETLINK_V0;
3016 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3018 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3019 goto nla_put_failure;
3020 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3021 goto nla_put_failure;
3022 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3024 goto nla_put_failure;
3025 if (set->flags != 0)
3026 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3027 goto nla_put_failure;
3029 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3030 goto nla_put_failure;
3031 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3032 goto nla_put_failure;
3033 if (set->flags & NFT_SET_MAP) {
3034 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3035 goto nla_put_failure;
3036 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3037 goto nla_put_failure;
3039 if (set->flags & NFT_SET_OBJECT &&
3040 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3041 goto nla_put_failure;
3044 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3045 nf_jiffies64_to_msecs(set->timeout),
3047 goto nla_put_failure;
3049 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3050 goto nla_put_failure;
3052 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3053 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3054 goto nla_put_failure;
3057 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3058 goto nla_put_failure;
3060 desc = nla_nest_start(skb, NFTA_SET_DESC);
3062 goto nla_put_failure;
3064 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3065 goto nla_put_failure;
3066 nla_nest_end(skb, desc);
3068 nlmsg_end(skb, nlh);
3072 nlmsg_trim(skb, nlh);
3076 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3077 const struct nft_set *set, int event,
3080 struct sk_buff *skb;
3081 u32 portid = ctx->portid;
3085 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3088 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3092 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3098 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
3102 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3105 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3107 const struct nft_set *set;
3108 unsigned int idx, s_idx = cb->args[0];
3109 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3110 struct net *net = sock_net(skb->sk);
3111 struct nft_ctx *ctx = cb->data, ctx_set;
3117 cb->seq = net->nft.base_seq;
3119 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3120 if (ctx->family != NFPROTO_UNSPEC &&
3121 ctx->family != table->family)
3124 if (ctx->table && ctx->table != table)
3128 if (cur_table != table)
3134 list_for_each_entry_rcu(set, &table->sets, list) {
3137 if (!nft_is_active(net, set))
3141 ctx_set.table = table;
3142 ctx_set.family = table->family;
3144 if (nf_tables_fill_set(skb, &ctx_set, set,
3148 cb->args[2] = (unsigned long) table;
3151 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3164 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3170 /* called with rcu_read_lock held */
3171 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3172 struct sk_buff *skb, const struct nlmsghdr *nlh,
3173 const struct nlattr * const nla[],
3174 struct netlink_ext_ack *extack)
3176 u8 genmask = nft_genmask_cur(net);
3177 const struct nft_set *set;
3179 struct sk_buff *skb2;
3180 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3183 /* Verify existence before starting dump */
3184 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3189 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3190 struct netlink_dump_control c = {
3191 .dump = nf_tables_dump_sets,
3192 .done = nf_tables_dump_sets_done,
3193 .module = THIS_MODULE,
3195 struct nft_ctx *ctx_dump;
3197 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_ATOMIC);
3198 if (ctx_dump == NULL)
3204 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3207 /* Only accept unspec with dump */
3208 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3209 return -EAFNOSUPPORT;
3210 if (!nla[NFTA_SET_TABLE])
3213 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3215 return PTR_ERR(set);
3217 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3221 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3225 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3232 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
3233 struct nft_set_desc *desc,
3234 const struct nlattr *nla)
3236 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3239 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
3240 nft_set_desc_policy, NULL);
3244 if (da[NFTA_SET_DESC_SIZE] != NULL)
3245 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3250 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3251 struct sk_buff *skb, const struct nlmsghdr *nlh,
3252 const struct nlattr * const nla[],
3253 struct netlink_ext_ack *extack)
3255 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3256 u8 genmask = nft_genmask_next(net);
3257 int family = nfmsg->nfgen_family;
3258 const struct nft_set_ops *ops;
3259 struct nft_table *table;
3260 struct nft_set *set;
3266 u32 ktype, dtype, flags, policy, gc_int, objtype;
3267 struct nft_set_desc desc;
3268 unsigned char *udata;
3272 if (nla[NFTA_SET_TABLE] == NULL ||
3273 nla[NFTA_SET_NAME] == NULL ||
3274 nla[NFTA_SET_KEY_LEN] == NULL ||
3275 nla[NFTA_SET_ID] == NULL)
3278 memset(&desc, 0, sizeof(desc));
3280 ktype = NFT_DATA_VALUE;
3281 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3282 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3283 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3287 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3288 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3292 if (nla[NFTA_SET_FLAGS] != NULL) {
3293 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3294 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3295 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3296 NFT_SET_MAP | NFT_SET_EVAL |
3299 /* Only one of these operations is supported */
3300 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3301 (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
3306 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3307 if (!(flags & NFT_SET_MAP))
3310 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3311 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3312 dtype != NFT_DATA_VERDICT)
3315 if (dtype != NFT_DATA_VERDICT) {
3316 if (nla[NFTA_SET_DATA_LEN] == NULL)
3318 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3319 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3322 desc.dlen = sizeof(struct nft_verdict);
3323 } else if (flags & NFT_SET_MAP)
3326 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3327 if (!(flags & NFT_SET_OBJECT))
3330 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3331 if (objtype == NFT_OBJECT_UNSPEC ||
3332 objtype > NFT_OBJECT_MAX)
3334 } else if (flags & NFT_SET_OBJECT)
3337 objtype = NFT_OBJECT_UNSPEC;
3340 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3341 if (!(flags & NFT_SET_TIMEOUT))
3344 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
3349 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3350 if (!(flags & NFT_SET_TIMEOUT))
3352 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3355 policy = NFT_SET_POL_PERFORMANCE;
3356 if (nla[NFTA_SET_POLICY] != NULL)
3357 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3359 if (nla[NFTA_SET_DESC] != NULL) {
3360 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3365 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
3367 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
3368 if (IS_ERR(table)) {
3369 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3370 return PTR_ERR(table);
3373 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3375 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3377 if (PTR_ERR(set) != -ENOENT) {
3378 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3379 return PTR_ERR(set);
3382 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3383 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3386 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3392 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3395 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3397 return PTR_ERR(ops);
3400 if (nla[NFTA_SET_USERDATA])
3401 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3404 if (ops->privsize != NULL)
3405 size = ops->privsize(nla, &desc);
3407 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3413 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3419 err = nf_tables_set_alloc_name(&ctx, set, name);
3426 udata = set->data + size;
3427 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3430 INIT_LIST_HEAD(&set->bindings);
3432 write_pnet(&set->net, net);
3435 set->klen = desc.klen;
3437 set->objtype = objtype;
3438 set->dlen = desc.dlen;
3440 set->size = desc.size;
3441 set->policy = policy;
3444 set->timeout = timeout;
3445 set->gc_int = gc_int;
3446 set->handle = nf_tables_alloc_handle(table);
3448 err = ops->init(set, &desc, nla);
3452 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3456 list_add_tail_rcu(&set->list, &table->sets);
3467 module_put(to_set_type(ops)->owner);
3471 static void nft_set_destroy(struct nft_set *set)
3473 set->ops->destroy(set);
3474 module_put(to_set_type(set->ops)->owner);
3479 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
3481 list_del_rcu(&set->list);
3482 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
3483 nft_set_destroy(set);
3486 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3487 struct sk_buff *skb, const struct nlmsghdr *nlh,
3488 const struct nlattr * const nla[],
3489 struct netlink_ext_ack *extack)
3491 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3492 u8 genmask = nft_genmask_next(net);
3493 const struct nlattr *attr;
3494 struct nft_set *set;
3498 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3499 return -EAFNOSUPPORT;
3500 if (nla[NFTA_SET_TABLE] == NULL)
3503 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3508 if (nla[NFTA_SET_HANDLE]) {
3509 attr = nla[NFTA_SET_HANDLE];
3510 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
3512 attr = nla[NFTA_SET_NAME];
3513 set = nft_set_lookup(ctx.table, attr, genmask);
3517 NL_SET_BAD_ATTR(extack, attr);
3518 return PTR_ERR(set);
3520 if (!list_empty(&set->bindings) ||
3521 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
3522 NL_SET_BAD_ATTR(extack, attr);
3526 return nft_delset(&ctx, set);
3529 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3530 struct nft_set *set,
3531 const struct nft_set_iter *iter,
3532 struct nft_set_elem *elem)
3534 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3535 enum nft_registers dreg;
3537 dreg = nft_type_to_reg(set->dtype);
3538 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3539 set->dtype == NFT_DATA_VERDICT ?
3540 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3544 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3545 struct nft_set_binding *binding)
3547 struct nft_set_binding *i;
3548 struct nft_set_iter iter;
3550 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3553 if (binding->flags & NFT_SET_MAP) {
3554 /* If the set is already bound to the same chain all
3555 * jumps are already validated for that chain.
3557 list_for_each_entry(i, &set->bindings, list) {
3558 if (i->flags & NFT_SET_MAP &&
3559 i->chain == binding->chain)
3563 iter.genmask = nft_genmask_next(ctx->net);
3567 iter.fn = nf_tables_bind_check_setelem;
3569 set->ops->walk(ctx, set, &iter);
3574 binding->chain = ctx->chain;
3575 list_add_tail_rcu(&binding->list, &set->bindings);
3578 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3580 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3581 struct nft_set_binding *binding)
3583 list_del_rcu(&binding->list);
3585 if (list_empty(&set->bindings) && nft_set_is_anonymous(set) &&
3586 nft_is_active(ctx->net, set))
3587 nf_tables_set_destroy(ctx, set);
3589 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3591 const struct nft_set_ext_type nft_set_ext_types[] = {
3592 [NFT_SET_EXT_KEY] = {
3593 .align = __alignof__(u32),
3595 [NFT_SET_EXT_DATA] = {
3596 .align = __alignof__(u32),
3598 [NFT_SET_EXT_EXPR] = {
3599 .align = __alignof__(struct nft_expr),
3601 [NFT_SET_EXT_OBJREF] = {
3602 .len = sizeof(struct nft_object *),
3603 .align = __alignof__(struct nft_object *),
3605 [NFT_SET_EXT_FLAGS] = {
3607 .align = __alignof__(u8),
3609 [NFT_SET_EXT_TIMEOUT] = {
3611 .align = __alignof__(u64),
3613 [NFT_SET_EXT_EXPIRATION] = {
3615 .align = __alignof__(u64),
3617 [NFT_SET_EXT_USERDATA] = {
3618 .len = sizeof(struct nft_userdata),
3619 .align = __alignof__(struct nft_userdata),
3622 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3628 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3629 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3630 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3631 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3632 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3633 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3634 .len = NFT_USERDATA_MAXLEN },
3635 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3636 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
3639 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3640 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3641 .len = NFT_TABLE_MAXNAMELEN - 1 },
3642 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3643 .len = NFT_SET_MAXNAMELEN - 1 },
3644 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3645 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3648 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3649 const struct sk_buff *skb,
3650 const struct nlmsghdr *nlh,
3651 const struct nlattr * const nla[],
3652 struct netlink_ext_ack *extack,
3655 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3656 int family = nfmsg->nfgen_family;
3657 struct nft_table *table;
3659 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
3661 if (IS_ERR(table)) {
3662 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
3663 return PTR_ERR(table);
3666 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3670 static int nf_tables_fill_setelem(struct sk_buff *skb,
3671 const struct nft_set *set,
3672 const struct nft_set_elem *elem)
3674 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3675 unsigned char *b = skb_tail_pointer(skb);
3676 struct nlattr *nest;
3678 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3680 goto nla_put_failure;
3682 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3683 NFT_DATA_VALUE, set->klen) < 0)
3684 goto nla_put_failure;
3686 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3687 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3688 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3690 goto nla_put_failure;
3692 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3693 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3694 goto nla_put_failure;
3696 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3697 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3698 (*nft_set_ext_obj(ext))->name) < 0)
3699 goto nla_put_failure;
3701 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3702 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3703 htonl(*nft_set_ext_flags(ext))))
3704 goto nla_put_failure;
3706 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3707 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3708 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
3710 goto nla_put_failure;
3712 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3713 u64 expires, now = get_jiffies_64();
3715 expires = *nft_set_ext_expiration(ext);
3716 if (time_before64(now, expires))
3721 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3722 nf_jiffies64_to_msecs(expires),
3724 goto nla_put_failure;
3727 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3728 struct nft_userdata *udata;
3730 udata = nft_set_ext_userdata(ext);
3731 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3732 udata->len + 1, udata->data))
3733 goto nla_put_failure;
3736 nla_nest_end(skb, nest);
3744 struct nft_set_dump_args {
3745 const struct netlink_callback *cb;
3746 struct nft_set_iter iter;
3747 struct sk_buff *skb;
3750 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3751 struct nft_set *set,
3752 const struct nft_set_iter *iter,
3753 struct nft_set_elem *elem)
3755 struct nft_set_dump_args *args;
3757 args = container_of(iter, struct nft_set_dump_args, iter);
3758 return nf_tables_fill_setelem(args->skb, set, elem);
3761 struct nft_set_dump_ctx {
3762 const struct nft_set *set;
3766 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3768 struct nft_set_dump_ctx *dump_ctx = cb->data;
3769 struct net *net = sock_net(skb->sk);
3770 struct nft_table *table;
3771 struct nft_set *set;
3772 struct nft_set_dump_args args;
3773 bool set_found = false;
3774 struct nfgenmsg *nfmsg;
3775 struct nlmsghdr *nlh;
3776 struct nlattr *nest;
3781 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3782 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
3783 dump_ctx->ctx.family != table->family)
3786 if (table != dump_ctx->ctx.table)
3789 list_for_each_entry_rcu(set, &table->sets, list) {
3790 if (set == dump_ctx->set) {
3803 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
3804 portid = NETLINK_CB(cb->skb).portid;
3805 seq = cb->nlh->nlmsg_seq;
3807 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3810 goto nla_put_failure;
3812 nfmsg = nlmsg_data(nlh);
3813 nfmsg->nfgen_family = table->family;
3814 nfmsg->version = NFNETLINK_V0;
3815 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3817 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
3818 goto nla_put_failure;
3819 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3820 goto nla_put_failure;
3822 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3824 goto nla_put_failure;
3828 args.iter.genmask = nft_genmask_cur(net);
3829 args.iter.skip = cb->args[0];
3830 args.iter.count = 0;
3832 args.iter.fn = nf_tables_dump_setelem;
3833 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
3836 nla_nest_end(skb, nest);
3837 nlmsg_end(skb, nlh);
3839 if (args.iter.err && args.iter.err != -EMSGSIZE)
3840 return args.iter.err;
3841 if (args.iter.count == cb->args[0])
3844 cb->args[0] = args.iter.count;
3852 static int nf_tables_dump_set_done(struct netlink_callback *cb)
3858 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3859 const struct nft_ctx *ctx, u32 seq,
3860 u32 portid, int event, u16 flags,
3861 const struct nft_set *set,
3862 const struct nft_set_elem *elem)
3864 struct nfgenmsg *nfmsg;
3865 struct nlmsghdr *nlh;
3866 struct nlattr *nest;
3869 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3870 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3873 goto nla_put_failure;
3875 nfmsg = nlmsg_data(nlh);
3876 nfmsg->nfgen_family = ctx->family;
3877 nfmsg->version = NFNETLINK_V0;
3878 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3880 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3881 goto nla_put_failure;
3882 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3883 goto nla_put_failure;
3885 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3887 goto nla_put_failure;
3889 err = nf_tables_fill_setelem(skb, set, elem);
3891 goto nla_put_failure;
3893 nla_nest_end(skb, nest);
3895 nlmsg_end(skb, nlh);
3899 nlmsg_trim(skb, nlh);
3903 static int nft_setelem_parse_flags(const struct nft_set *set,
3904 const struct nlattr *attr, u32 *flags)
3909 *flags = ntohl(nla_get_be32(attr));
3910 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3912 if (!(set->flags & NFT_SET_INTERVAL) &&
3913 *flags & NFT_SET_ELEM_INTERVAL_END)
3919 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3920 const struct nlattr *attr)
3922 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3923 const struct nft_set_ext *ext;
3924 struct nft_data_desc desc;
3925 struct nft_set_elem elem;
3926 struct sk_buff *skb;
3931 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3932 nft_set_elem_policy, NULL);
3936 if (!nla[NFTA_SET_ELEM_KEY])
3939 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3943 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3944 nla[NFTA_SET_ELEM_KEY]);
3949 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3952 priv = set->ops->get(ctx->net, set, &elem, flags);
3954 return PTR_ERR(priv);
3957 ext = nft_set_elem_ext(set, &elem);
3960 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
3964 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
3965 NFT_MSG_NEWSETELEM, 0, set, &elem);
3969 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
3970 /* This avoids a loop in nfnetlink. */
3978 /* this avoids a loop in nfnetlink. */
3979 return err == -EAGAIN ? -ENOBUFS : err;
3982 /* called with rcu_read_lock held */
3983 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3984 struct sk_buff *skb, const struct nlmsghdr *nlh,
3985 const struct nlattr * const nla[],
3986 struct netlink_ext_ack *extack)
3988 u8 genmask = nft_genmask_cur(net);
3989 struct nft_set *set;
3990 struct nlattr *attr;
3994 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
3999 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4001 return PTR_ERR(set);
4003 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4004 struct netlink_dump_control c = {
4005 .dump = nf_tables_dump_set,
4006 .done = nf_tables_dump_set_done,
4007 .module = THIS_MODULE,
4009 struct nft_set_dump_ctx *dump_ctx;
4011 dump_ctx = kmalloc(sizeof(*dump_ctx), GFP_ATOMIC);
4015 dump_ctx->set = set;
4016 dump_ctx->ctx = ctx;
4019 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4022 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4025 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4026 err = nft_get_set_elem(&ctx, set, attr);
4034 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4035 const struct nft_set *set,
4036 const struct nft_set_elem *elem,
4037 int event, u16 flags)
4039 struct net *net = ctx->net;
4040 u32 portid = ctx->portid;
4041 struct sk_buff *skb;
4044 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4047 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4051 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
4058 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
4062 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4065 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
4067 struct nft_set *set)
4069 struct nft_trans *trans;
4071 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
4075 nft_trans_elem_set(trans) = set;
4079 void *nft_set_elem_init(const struct nft_set *set,
4080 const struct nft_set_ext_tmpl *tmpl,
4081 const u32 *key, const u32 *data,
4082 u64 timeout, gfp_t gfp)
4084 struct nft_set_ext *ext;
4087 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
4091 ext = nft_set_elem_ext(set, elem);
4092 nft_set_ext_init(ext, tmpl);
4094 memcpy(nft_set_ext_key(ext), key, set->klen);
4095 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4096 memcpy(nft_set_ext_data(ext), data, set->dlen);
4097 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
4098 *nft_set_ext_expiration(ext) =
4099 get_jiffies_64() + timeout;
4100 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
4101 *nft_set_ext_timeout(ext) = timeout;
4106 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
4109 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4110 struct nft_ctx ctx = {
4111 .net = read_pnet(&set->net),
4112 .family = set->table->family,
4115 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
4116 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4117 nft_data_release(nft_set_ext_data(ext), set->dtype);
4118 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
4119 struct nft_expr *expr = nft_set_ext_expr(ext);
4121 if (expr->ops->destroy_clone) {
4122 expr->ops->destroy_clone(&ctx, expr);
4123 module_put(expr->ops->type->owner);
4125 nf_tables_expr_destroy(&ctx, expr);
4128 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4129 (*nft_set_ext_obj(ext))->use--;
4132 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
4134 /* Only called from commit path, nft_set_elem_deactivate() already deals with
4135 * the refcounting from the preparation phase.
4137 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
4138 const struct nft_set *set, void *elem)
4140 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4142 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4143 nf_tables_expr_destroy(ctx, nft_set_ext_expr(ext));
4147 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4148 const struct nlattr *attr, u32 nlmsg_flags)
4150 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4151 u8 genmask = nft_genmask_next(ctx->net);
4152 struct nft_data_desc d1, d2;
4153 struct nft_set_ext_tmpl tmpl;
4154 struct nft_set_ext *ext, *ext2;
4155 struct nft_set_elem elem;
4156 struct nft_set_binding *binding;
4157 struct nft_object *obj = NULL;
4158 struct nft_userdata *udata;
4159 struct nft_data data;
4160 enum nft_registers dreg;
4161 struct nft_trans *trans;
4167 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4168 nft_set_elem_policy, NULL);
4172 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4175 nft_set_ext_prepare(&tmpl);
4177 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4181 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4183 if (set->flags & NFT_SET_MAP) {
4184 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4185 !(flags & NFT_SET_ELEM_INTERVAL_END))
4187 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
4188 flags & NFT_SET_ELEM_INTERVAL_END)
4191 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4196 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4197 if (!(set->flags & NFT_SET_TIMEOUT))
4199 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
4203 } else if (set->flags & NFT_SET_TIMEOUT) {
4204 timeout = set->timeout;
4207 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
4208 nla[NFTA_SET_ELEM_KEY]);
4212 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
4215 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
4217 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
4218 if (timeout != set->timeout)
4219 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
4222 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
4223 if (!(set->flags & NFT_SET_OBJECT)) {
4227 obj = nft_obj_lookup(ctx->table, nla[NFTA_SET_ELEM_OBJREF],
4228 set->objtype, genmask);
4233 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4236 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4237 err = nft_data_init(ctx, &data, sizeof(data), &d2,
4238 nla[NFTA_SET_ELEM_DATA]);
4243 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4246 dreg = nft_type_to_reg(set->dtype);
4247 list_for_each_entry(binding, &set->bindings, list) {
4248 struct nft_ctx bind_ctx = {
4250 .family = ctx->family,
4251 .table = ctx->table,
4252 .chain = (struct nft_chain *)binding->chain,
4255 if (!(binding->flags & NFT_SET_MAP))
4258 err = nft_validate_register_store(&bind_ctx, dreg,
4264 if (d2.type == NFT_DATA_VERDICT &&
4265 (data.verdict.code == NFT_GOTO ||
4266 data.verdict.code == NFT_JUMP))
4267 nft_validate_state_update(ctx->net,
4271 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4274 /* The full maximum length of userdata can exceed the maximum
4275 * offset value (U8_MAX) for following extensions, therefor it
4276 * must be the last extension added.
4279 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4280 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4282 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4287 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4288 timeout, GFP_KERNEL);
4289 if (elem.priv == NULL)
4292 ext = nft_set_elem_ext(set, elem.priv);
4294 *nft_set_ext_flags(ext) = flags;
4296 udata = nft_set_ext_userdata(ext);
4297 udata->len = ulen - 1;
4298 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4301 *nft_set_ext_obj(ext) = obj;
4305 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4309 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4310 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4312 if (err == -EEXIST) {
4313 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4314 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4315 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4316 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4320 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4321 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4322 memcmp(nft_set_ext_data(ext),
4323 nft_set_ext_data(ext2), set->dlen) != 0) ||
4324 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4325 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4326 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4328 else if (!(nlmsg_flags & NLM_F_EXCL))
4335 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4340 nft_trans_elem(trans) = elem;
4341 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4345 set->ops->remove(ctx->net, set, &elem);
4351 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4352 nft_data_release(&data, d2.type);
4354 nft_data_release(&elem.key.val, d1.type);
4359 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4360 struct sk_buff *skb, const struct nlmsghdr *nlh,
4361 const struct nlattr * const nla[],
4362 struct netlink_ext_ack *extack)
4364 u8 genmask = nft_genmask_next(net);
4365 const struct nlattr *attr;
4366 struct nft_set *set;
4370 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4373 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4378 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4379 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
4381 return PTR_ERR(set);
4383 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4386 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4387 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4392 if (net->nft.validate_state == NFT_VALIDATE_DO)
4393 return nft_table_validate(net, ctx.table);
4399 * nft_data_hold - hold a nft_data item
4401 * @data: struct nft_data to release
4402 * @type: type of data
4404 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4405 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4406 * NFT_GOTO verdicts. This function must be called on active data objects
4407 * from the second phase of the commit protocol.
4409 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4411 if (type == NFT_DATA_VERDICT) {
4412 switch (data->verdict.code) {
4415 data->verdict.chain->use++;
4421 static void nft_set_elem_activate(const struct net *net,
4422 const struct nft_set *set,
4423 struct nft_set_elem *elem)
4425 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4427 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4428 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4429 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4430 (*nft_set_ext_obj(ext))->use++;
4433 static void nft_set_elem_deactivate(const struct net *net,
4434 const struct nft_set *set,
4435 struct nft_set_elem *elem)
4437 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4439 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4440 nft_data_release(nft_set_ext_data(ext), set->dtype);
4441 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4442 (*nft_set_ext_obj(ext))->use--;
4445 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4446 const struct nlattr *attr)
4448 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4449 struct nft_set_ext_tmpl tmpl;
4450 struct nft_data_desc desc;
4451 struct nft_set_elem elem;
4452 struct nft_set_ext *ext;
4453 struct nft_trans *trans;
4458 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4459 nft_set_elem_policy, NULL);
4464 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4467 nft_set_ext_prepare(&tmpl);
4469 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4473 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4475 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4476 nla[NFTA_SET_ELEM_KEY]);
4481 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4484 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4487 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4489 if (elem.priv == NULL)
4492 ext = nft_set_elem_ext(set, elem.priv);
4494 *nft_set_ext_flags(ext) = flags;
4496 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4497 if (trans == NULL) {
4502 priv = set->ops->deactivate(ctx->net, set, &elem);
4510 nft_set_elem_deactivate(ctx->net, set, &elem);
4512 nft_trans_elem(trans) = elem;
4513 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4521 nft_data_release(&elem.key.val, desc.type);
4526 static int nft_flush_set(const struct nft_ctx *ctx,
4527 struct nft_set *set,
4528 const struct nft_set_iter *iter,
4529 struct nft_set_elem *elem)
4531 struct nft_trans *trans;
4534 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4535 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4539 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4545 nft_trans_elem_set(trans) = set;
4546 nft_trans_elem(trans) = *elem;
4547 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4555 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4556 struct sk_buff *skb, const struct nlmsghdr *nlh,
4557 const struct nlattr * const nla[],
4558 struct netlink_ext_ack *extack)
4560 u8 genmask = nft_genmask_next(net);
4561 const struct nlattr *attr;
4562 struct nft_set *set;
4566 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4571 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4573 return PTR_ERR(set);
4574 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4577 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4578 struct nft_set_iter iter = {
4580 .fn = nft_flush_set,
4582 set->ops->walk(&ctx, set, &iter);
4587 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4588 err = nft_del_setelem(&ctx, set, attr);
4597 void nft_set_gc_batch_release(struct rcu_head *rcu)
4599 struct nft_set_gc_batch *gcb;
4602 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4603 for (i = 0; i < gcb->head.cnt; i++)
4604 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4607 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4609 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4612 struct nft_set_gc_batch *gcb;
4614 gcb = kzalloc(sizeof(*gcb), gfp);
4617 gcb->head.set = set;
4620 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4627 * nft_register_obj- register nf_tables stateful object type
4630 * Registers the object type for use with nf_tables. Returns zero on
4631 * success or a negative errno code otherwise.
4633 int nft_register_obj(struct nft_object_type *obj_type)
4635 if (obj_type->type == NFT_OBJECT_UNSPEC)
4638 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4639 list_add_rcu(&obj_type->list, &nf_tables_objects);
4640 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4643 EXPORT_SYMBOL_GPL(nft_register_obj);
4646 * nft_unregister_obj - unregister nf_tables object type
4649 * Unregisters the object type for use with nf_tables.
4651 void nft_unregister_obj(struct nft_object_type *obj_type)
4653 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4654 list_del_rcu(&obj_type->list);
4655 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4657 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4659 struct nft_object *nft_obj_lookup(const struct nft_table *table,
4660 const struct nlattr *nla, u32 objtype,
4663 struct nft_object *obj;
4665 list_for_each_entry_rcu(obj, &table->objects, list) {
4666 if (!nla_strcmp(nla, obj->name) &&
4667 objtype == obj->ops->type->type &&
4668 nft_active_genmask(obj, genmask))
4671 return ERR_PTR(-ENOENT);
4673 EXPORT_SYMBOL_GPL(nft_obj_lookup);
4675 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
4676 const struct nlattr *nla,
4677 u32 objtype, u8 genmask)
4679 struct nft_object *obj;
4681 list_for_each_entry(obj, &table->objects, list) {
4682 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
4683 objtype == obj->ops->type->type &&
4684 nft_active_genmask(obj, genmask))
4687 return ERR_PTR(-ENOENT);
4690 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4691 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4692 .len = NFT_TABLE_MAXNAMELEN - 1 },
4693 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4694 .len = NFT_OBJ_MAXNAMELEN - 1 },
4695 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4696 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4697 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
4700 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4701 const struct nft_object_type *type,
4702 const struct nlattr *attr)
4705 const struct nft_object_ops *ops;
4706 struct nft_object *obj;
4709 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
4714 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4719 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4722 if (type->select_ops) {
4723 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4733 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
4737 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
4750 return ERR_PTR(err);
4753 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
4754 struct nft_object *obj, bool reset)
4756 struct nlattr *nest;
4758 nest = nla_nest_start(skb, attr);
4760 goto nla_put_failure;
4761 if (obj->ops->dump(skb, obj, reset) < 0)
4762 goto nla_put_failure;
4763 nla_nest_end(skb, nest);
4770 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
4772 const struct nft_object_type *type;
4774 list_for_each_entry(type, &nf_tables_objects, list) {
4775 if (objtype == type->type)
4781 static const struct nft_object_type *nft_obj_type_get(u32 objtype)
4783 const struct nft_object_type *type;
4785 type = __nft_obj_type_get(objtype);
4786 if (type != NULL && try_module_get(type->owner))
4789 #ifdef CONFIG_MODULES
4791 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4792 request_module("nft-obj-%u", objtype);
4793 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4794 if (__nft_obj_type_get(objtype))
4795 return ERR_PTR(-EAGAIN);
4798 return ERR_PTR(-ENOENT);
4801 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
4802 struct sk_buff *skb, const struct nlmsghdr *nlh,
4803 const struct nlattr * const nla[],
4804 struct netlink_ext_ack *extack)
4806 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4807 const struct nft_object_type *type;
4808 u8 genmask = nft_genmask_next(net);
4809 int family = nfmsg->nfgen_family;
4810 struct nft_table *table;
4811 struct nft_object *obj;
4816 if (!nla[NFTA_OBJ_TYPE] ||
4817 !nla[NFTA_OBJ_NAME] ||
4818 !nla[NFTA_OBJ_DATA])
4821 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
4822 if (IS_ERR(table)) {
4823 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
4824 return PTR_ERR(table);
4827 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4828 obj = nft_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4831 if (err != -ENOENT) {
4832 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
4836 if (nlh->nlmsg_flags & NLM_F_EXCL) {
4837 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
4843 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4845 type = nft_obj_type_get(objtype);
4847 return PTR_ERR(type);
4849 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
4855 obj->handle = nf_tables_alloc_handle(table);
4857 obj->name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
4863 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
4867 list_add_tail_rcu(&obj->list, &table->objects);
4873 if (obj->ops->destroy)
4874 obj->ops->destroy(&ctx, obj);
4877 module_put(type->owner);
4881 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
4882 u32 portid, u32 seq, int event, u32 flags,
4883 int family, const struct nft_table *table,
4884 struct nft_object *obj, bool reset)
4886 struct nfgenmsg *nfmsg;
4887 struct nlmsghdr *nlh;
4889 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4890 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
4892 goto nla_put_failure;
4894 nfmsg = nlmsg_data(nlh);
4895 nfmsg->nfgen_family = family;
4896 nfmsg->version = NFNETLINK_V0;
4897 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4899 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
4900 nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
4901 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
4902 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
4903 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
4904 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
4906 goto nla_put_failure;
4908 nlmsg_end(skb, nlh);
4912 nlmsg_trim(skb, nlh);
4916 struct nft_obj_filter {
4921 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
4923 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
4924 const struct nft_table *table;
4925 unsigned int idx = 0, s_idx = cb->args[0];
4926 struct nft_obj_filter *filter = cb->data;
4927 struct net *net = sock_net(skb->sk);
4928 int family = nfmsg->nfgen_family;
4929 struct nft_object *obj;
4932 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4936 cb->seq = net->nft.base_seq;
4938 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4939 if (family != NFPROTO_UNSPEC && family != table->family)
4942 list_for_each_entry_rcu(obj, &table->objects, list) {
4943 if (!nft_is_active(net, obj))
4948 memset(&cb->args[1], 0,
4949 sizeof(cb->args) - sizeof(cb->args[0]));
4950 if (filter && filter->table &&
4951 strcmp(filter->table, table->name))
4954 filter->type != NFT_OBJECT_UNSPEC &&
4955 obj->ops->type->type != filter->type)
4958 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
4961 NLM_F_MULTI | NLM_F_APPEND,
4962 table->family, table,
4966 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4978 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
4980 struct nft_obj_filter *filter = cb->data;
4983 kfree(filter->table);
4990 static struct nft_obj_filter *
4991 nft_obj_filter_alloc(const struct nlattr * const nla[])
4993 struct nft_obj_filter *filter;
4995 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
4997 return ERR_PTR(-ENOMEM);
4999 if (nla[NFTA_OBJ_TABLE]) {
5000 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
5001 if (!filter->table) {
5003 return ERR_PTR(-ENOMEM);
5006 if (nla[NFTA_OBJ_TYPE])
5007 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5012 /* called with rcu_read_lock held */
5013 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
5014 struct sk_buff *skb, const struct nlmsghdr *nlh,
5015 const struct nlattr * const nla[],
5016 struct netlink_ext_ack *extack)
5018 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5019 u8 genmask = nft_genmask_cur(net);
5020 int family = nfmsg->nfgen_family;
5021 const struct nft_table *table;
5022 struct nft_object *obj;
5023 struct sk_buff *skb2;
5028 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5029 struct netlink_dump_control c = {
5030 .dump = nf_tables_dump_obj,
5031 .done = nf_tables_dump_obj_done,
5032 .module = THIS_MODULE,
5035 if (nla[NFTA_OBJ_TABLE] ||
5036 nla[NFTA_OBJ_TYPE]) {
5037 struct nft_obj_filter *filter;
5039 filter = nft_obj_filter_alloc(nla);
5045 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5048 if (!nla[NFTA_OBJ_NAME] ||
5049 !nla[NFTA_OBJ_TYPE])
5052 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5053 if (IS_ERR(table)) {
5054 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5055 return PTR_ERR(table);
5058 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5059 obj = nft_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
5061 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5062 return PTR_ERR(obj);
5065 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5069 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5072 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
5073 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
5074 family, table, obj, reset);
5078 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5084 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
5086 if (obj->ops->destroy)
5087 obj->ops->destroy(ctx, obj);
5089 module_put(obj->ops->type->owner);
5094 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
5095 struct sk_buff *skb, const struct nlmsghdr *nlh,
5096 const struct nlattr * const nla[],
5097 struct netlink_ext_ack *extack)
5099 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5100 u8 genmask = nft_genmask_next(net);
5101 int family = nfmsg->nfgen_family;
5102 const struct nlattr *attr;
5103 struct nft_table *table;
5104 struct nft_object *obj;
5108 if (!nla[NFTA_OBJ_TYPE] ||
5109 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
5112 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5113 if (IS_ERR(table)) {
5114 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5115 return PTR_ERR(table);
5118 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5119 if (nla[NFTA_OBJ_HANDLE]) {
5120 attr = nla[NFTA_OBJ_HANDLE];
5121 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
5123 attr = nla[NFTA_OBJ_NAME];
5124 obj = nft_obj_lookup(table, attr, objtype, genmask);
5128 NL_SET_BAD_ATTR(extack, attr);
5129 return PTR_ERR(obj);
5132 NL_SET_BAD_ATTR(extack, attr);
5136 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5138 return nft_delobj(&ctx, obj);
5141 void nft_obj_notify(struct net *net, struct nft_table *table,
5142 struct nft_object *obj, u32 portid, u32 seq, int event,
5143 int family, int report, gfp_t gfp)
5145 struct sk_buff *skb;
5149 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5152 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
5156 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
5163 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
5166 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5168 EXPORT_SYMBOL_GPL(nft_obj_notify);
5170 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
5171 struct nft_object *obj, int event)
5173 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
5174 ctx->family, ctx->report, GFP_KERNEL);
5180 void nft_register_flowtable_type(struct nf_flowtable_type *type)
5182 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5183 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
5184 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5186 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
5188 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
5190 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5191 list_del_rcu(&type->list);
5192 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5194 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
5196 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
5197 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
5198 .len = NFT_NAME_MAXLEN - 1 },
5199 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
5200 .len = NFT_NAME_MAXLEN - 1 },
5201 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
5202 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
5205 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
5206 const struct nlattr *nla, u8 genmask)
5208 struct nft_flowtable *flowtable;
5210 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5211 if (!nla_strcmp(nla, flowtable->name) &&
5212 nft_active_genmask(flowtable, genmask))
5215 return ERR_PTR(-ENOENT);
5217 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
5219 static struct nft_flowtable *
5220 nft_flowtable_lookup_byhandle(const struct nft_table *table,
5221 const struct nlattr *nla, u8 genmask)
5223 struct nft_flowtable *flowtable;
5225 list_for_each_entry(flowtable, &table->flowtables, list) {
5226 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
5227 nft_active_genmask(flowtable, genmask))
5230 return ERR_PTR(-ENOENT);
5233 static int nf_tables_parse_devices(const struct nft_ctx *ctx,
5234 const struct nlattr *attr,
5235 struct net_device *dev_array[], int *len)
5237 const struct nlattr *tmp;
5238 struct net_device *dev;
5239 char ifname[IFNAMSIZ];
5240 int rem, n = 0, err;
5242 nla_for_each_nested(tmp, attr, rem) {
5243 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
5248 nla_strlcpy(ifname, tmp, IFNAMSIZ);
5249 dev = __dev_get_by_name(ctx->net, ifname);
5255 dev_array[n++] = dev;
5256 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
5270 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
5271 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
5272 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
5273 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
5276 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
5277 const struct nlattr *attr,
5278 struct nft_flowtable *flowtable)
5280 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
5281 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
5282 struct nf_hook_ops *ops;
5283 int hooknum, priority;
5286 err = nla_parse_nested(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
5287 nft_flowtable_hook_policy, NULL);
5291 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
5292 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
5293 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
5296 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
5297 if (hooknum != NF_NETDEV_INGRESS)
5300 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5302 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
5307 ops = kcalloc(n, sizeof(struct nf_hook_ops), GFP_KERNEL);
5311 flowtable->hooknum = hooknum;
5312 flowtable->priority = priority;
5313 flowtable->ops = ops;
5314 flowtable->ops_len = n;
5316 for (i = 0; i < n; i++) {
5317 flowtable->ops[i].pf = NFPROTO_NETDEV;
5318 flowtable->ops[i].hooknum = hooknum;
5319 flowtable->ops[i].priority = priority;
5320 flowtable->ops[i].priv = &flowtable->data;
5321 flowtable->ops[i].hook = flowtable->data.type->hook;
5322 flowtable->ops[i].dev = dev_array[i];
5323 flowtable->dev_name[i] = kstrdup(dev_array[i]->name,
5330 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5332 const struct nf_flowtable_type *type;
5334 list_for_each_entry(type, &nf_tables_flowtables, list) {
5335 if (family == type->family)
5341 static const struct nf_flowtable_type *nft_flowtable_type_get(u8 family)
5343 const struct nf_flowtable_type *type;
5345 type = __nft_flowtable_type_get(family);
5346 if (type != NULL && try_module_get(type->owner))
5349 #ifdef CONFIG_MODULES
5351 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5352 request_module("nf-flowtable-%u", family);
5353 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5354 if (__nft_flowtable_type_get(family))
5355 return ERR_PTR(-EAGAIN);
5358 return ERR_PTR(-ENOENT);
5361 static void nft_unregister_flowtable_net_hooks(struct net *net,
5362 struct nft_flowtable *flowtable)
5366 for (i = 0; i < flowtable->ops_len; i++) {
5367 if (!flowtable->ops[i].dev)
5370 nf_unregister_net_hook(net, &flowtable->ops[i]);
5374 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5375 struct sk_buff *skb,
5376 const struct nlmsghdr *nlh,
5377 const struct nlattr * const nla[],
5378 struct netlink_ext_ack *extack)
5380 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5381 const struct nf_flowtable_type *type;
5382 struct nft_flowtable *flowtable, *ft;
5383 u8 genmask = nft_genmask_next(net);
5384 int family = nfmsg->nfgen_family;
5385 struct nft_table *table;
5389 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5390 !nla[NFTA_FLOWTABLE_NAME] ||
5391 !nla[NFTA_FLOWTABLE_HOOK])
5394 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5396 if (IS_ERR(table)) {
5397 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5398 return PTR_ERR(table);
5401 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5403 if (IS_ERR(flowtable)) {
5404 err = PTR_ERR(flowtable);
5405 if (err != -ENOENT) {
5406 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5410 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5411 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5418 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5420 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5424 flowtable->table = table;
5425 flowtable->handle = nf_tables_alloc_handle(table);
5427 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5428 if (!flowtable->name) {
5433 type = nft_flowtable_type_get(family);
5435 err = PTR_ERR(type);
5439 flowtable->data.type = type;
5440 err = type->init(&flowtable->data);
5444 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5449 for (i = 0; i < flowtable->ops_len; i++) {
5450 if (!flowtable->ops[i].dev)
5453 list_for_each_entry(ft, &table->flowtables, list) {
5454 for (k = 0; k < ft->ops_len; k++) {
5455 if (!ft->ops[k].dev)
5458 if (flowtable->ops[i].dev == ft->ops[k].dev &&
5459 flowtable->ops[i].pf == ft->ops[k].pf) {
5466 err = nf_register_net_hook(net, &flowtable->ops[i]);
5471 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5475 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5480 i = flowtable->ops_len;
5482 for (k = i - 1; k >= 0; k--) {
5483 kfree(flowtable->dev_name[k]);
5484 nf_unregister_net_hook(net, &flowtable->ops[k]);
5487 kfree(flowtable->ops);
5489 flowtable->data.type->free(&flowtable->data);
5491 module_put(type->owner);
5493 kfree(flowtable->name);
5499 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5500 struct sk_buff *skb,
5501 const struct nlmsghdr *nlh,
5502 const struct nlattr * const nla[],
5503 struct netlink_ext_ack *extack)
5505 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5506 u8 genmask = nft_genmask_next(net);
5507 int family = nfmsg->nfgen_family;
5508 struct nft_flowtable *flowtable;
5509 const struct nlattr *attr;
5510 struct nft_table *table;
5513 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5514 (!nla[NFTA_FLOWTABLE_NAME] &&
5515 !nla[NFTA_FLOWTABLE_HANDLE]))
5518 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5520 if (IS_ERR(table)) {
5521 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5522 return PTR_ERR(table);
5525 if (nla[NFTA_FLOWTABLE_HANDLE]) {
5526 attr = nla[NFTA_FLOWTABLE_HANDLE];
5527 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
5529 attr = nla[NFTA_FLOWTABLE_NAME];
5530 flowtable = nft_flowtable_lookup(table, attr, genmask);
5533 if (IS_ERR(flowtable)) {
5534 NL_SET_BAD_ATTR(extack, attr);
5535 return PTR_ERR(flowtable);
5537 if (flowtable->use > 0) {
5538 NL_SET_BAD_ATTR(extack, attr);
5542 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5544 return nft_delflowtable(&ctx, flowtable);
5547 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
5548 u32 portid, u32 seq, int event,
5549 u32 flags, int family,
5550 struct nft_flowtable *flowtable)
5552 struct nlattr *nest, *nest_devs;
5553 struct nfgenmsg *nfmsg;
5554 struct nlmsghdr *nlh;
5557 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5558 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5560 goto nla_put_failure;
5562 nfmsg = nlmsg_data(nlh);
5563 nfmsg->nfgen_family = family;
5564 nfmsg->version = NFNETLINK_V0;
5565 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5567 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
5568 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
5569 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
5570 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
5571 NFTA_FLOWTABLE_PAD))
5572 goto nla_put_failure;
5574 nest = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK);
5575 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
5576 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
5577 goto nla_put_failure;
5579 nest_devs = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK_DEVS);
5581 goto nla_put_failure;
5583 for (i = 0; i < flowtable->ops_len; i++) {
5584 if (flowtable->dev_name[i][0] &&
5585 nla_put_string(skb, NFTA_DEVICE_NAME,
5586 flowtable->dev_name[i]))
5587 goto nla_put_failure;
5589 nla_nest_end(skb, nest_devs);
5590 nla_nest_end(skb, nest);
5592 nlmsg_end(skb, nlh);
5596 nlmsg_trim(skb, nlh);
5600 struct nft_flowtable_filter {
5604 static int nf_tables_dump_flowtable(struct sk_buff *skb,
5605 struct netlink_callback *cb)
5607 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5608 struct nft_flowtable_filter *filter = cb->data;
5609 unsigned int idx = 0, s_idx = cb->args[0];
5610 struct net *net = sock_net(skb->sk);
5611 int family = nfmsg->nfgen_family;
5612 struct nft_flowtable *flowtable;
5613 const struct nft_table *table;
5616 cb->seq = net->nft.base_seq;
5618 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5619 if (family != NFPROTO_UNSPEC && family != table->family)
5622 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5623 if (!nft_is_active(net, flowtable))
5628 memset(&cb->args[1], 0,
5629 sizeof(cb->args) - sizeof(cb->args[0]));
5630 if (filter && filter->table &&
5631 strcmp(filter->table, table->name))
5634 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
5636 NFT_MSG_NEWFLOWTABLE,
5637 NLM_F_MULTI | NLM_F_APPEND,
5638 table->family, flowtable) < 0)
5641 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5653 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
5655 struct nft_flowtable_filter *filter = cb->data;
5660 kfree(filter->table);
5666 static struct nft_flowtable_filter *
5667 nft_flowtable_filter_alloc(const struct nlattr * const nla[])
5669 struct nft_flowtable_filter *filter;
5671 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5673 return ERR_PTR(-ENOMEM);
5675 if (nla[NFTA_FLOWTABLE_TABLE]) {
5676 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
5678 if (!filter->table) {
5680 return ERR_PTR(-ENOMEM);
5686 /* called with rcu_read_lock held */
5687 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
5688 struct sk_buff *skb,
5689 const struct nlmsghdr *nlh,
5690 const struct nlattr * const nla[],
5691 struct netlink_ext_ack *extack)
5693 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5694 u8 genmask = nft_genmask_cur(net);
5695 int family = nfmsg->nfgen_family;
5696 struct nft_flowtable *flowtable;
5697 const struct nft_table *table;
5698 struct sk_buff *skb2;
5701 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5702 struct netlink_dump_control c = {
5703 .dump = nf_tables_dump_flowtable,
5704 .done = nf_tables_dump_flowtable_done,
5705 .module = THIS_MODULE,
5708 if (nla[NFTA_FLOWTABLE_TABLE]) {
5709 struct nft_flowtable_filter *filter;
5711 filter = nft_flowtable_filter_alloc(nla);
5717 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5720 if (!nla[NFTA_FLOWTABLE_NAME])
5723 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5726 return PTR_ERR(table);
5728 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5730 if (IS_ERR(flowtable))
5731 return PTR_ERR(flowtable);
5733 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5737 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
5739 NFT_MSG_NEWFLOWTABLE, 0, family,
5744 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5750 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
5751 struct nft_flowtable *flowtable,
5754 struct sk_buff *skb;
5758 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
5761 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5765 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
5767 ctx->family, flowtable);
5773 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
5774 ctx->report, GFP_KERNEL);
5777 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
5780 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
5782 kfree(flowtable->ops);
5783 kfree(flowtable->name);
5784 flowtable->data.type->free(&flowtable->data);
5785 module_put(flowtable->data.type->owner);
5788 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
5789 u32 portid, u32 seq)
5791 struct nlmsghdr *nlh;
5792 struct nfgenmsg *nfmsg;
5793 char buf[TASK_COMM_LEN];
5794 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
5796 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
5798 goto nla_put_failure;
5800 nfmsg = nlmsg_data(nlh);
5801 nfmsg->nfgen_family = AF_UNSPEC;
5802 nfmsg->version = NFNETLINK_V0;
5803 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5805 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
5806 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
5807 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
5808 goto nla_put_failure;
5810 nlmsg_end(skb, nlh);
5814 nlmsg_trim(skb, nlh);
5818 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
5819 struct nft_flowtable *flowtable)
5823 for (i = 0; i < flowtable->ops_len; i++) {
5824 if (flowtable->ops[i].dev != dev)
5827 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
5828 flowtable->dev_name[i][0] = '\0';
5829 flowtable->ops[i].dev = NULL;
5834 static int nf_tables_flowtable_event(struct notifier_block *this,
5835 unsigned long event, void *ptr)
5837 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
5838 struct nft_flowtable *flowtable;
5839 struct nft_table *table;
5842 if (event != NETDEV_UNREGISTER)
5845 net = maybe_get_net(dev_net(dev));
5849 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5850 list_for_each_entry(table, &net->nft.tables, list) {
5851 list_for_each_entry(flowtable, &table->flowtables, list) {
5852 nft_flowtable_event(event, dev, flowtable);
5855 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5860 static struct notifier_block nf_tables_flowtable_notifier = {
5861 .notifier_call = nf_tables_flowtable_event,
5864 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
5867 struct nlmsghdr *nlh = nlmsg_hdr(skb);
5868 struct sk_buff *skb2;
5871 if (nlmsg_report(nlh) &&
5872 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5875 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5879 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5886 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5887 nlmsg_report(nlh), GFP_KERNEL);
5890 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5894 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
5895 struct sk_buff *skb, const struct nlmsghdr *nlh,
5896 const struct nlattr * const nla[],
5897 struct netlink_ext_ack *extack)
5899 struct sk_buff *skb2;
5902 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5906 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5911 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5917 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
5918 [NFT_MSG_NEWTABLE] = {
5919 .call_batch = nf_tables_newtable,
5920 .attr_count = NFTA_TABLE_MAX,
5921 .policy = nft_table_policy,
5923 [NFT_MSG_GETTABLE] = {
5924 .call_rcu = nf_tables_gettable,
5925 .attr_count = NFTA_TABLE_MAX,
5926 .policy = nft_table_policy,
5928 [NFT_MSG_DELTABLE] = {
5929 .call_batch = nf_tables_deltable,
5930 .attr_count = NFTA_TABLE_MAX,
5931 .policy = nft_table_policy,
5933 [NFT_MSG_NEWCHAIN] = {
5934 .call_batch = nf_tables_newchain,
5935 .attr_count = NFTA_CHAIN_MAX,
5936 .policy = nft_chain_policy,
5938 [NFT_MSG_GETCHAIN] = {
5939 .call_rcu = nf_tables_getchain,
5940 .attr_count = NFTA_CHAIN_MAX,
5941 .policy = nft_chain_policy,
5943 [NFT_MSG_DELCHAIN] = {
5944 .call_batch = nf_tables_delchain,
5945 .attr_count = NFTA_CHAIN_MAX,
5946 .policy = nft_chain_policy,
5948 [NFT_MSG_NEWRULE] = {
5949 .call_batch = nf_tables_newrule,
5950 .attr_count = NFTA_RULE_MAX,
5951 .policy = nft_rule_policy,
5953 [NFT_MSG_GETRULE] = {
5954 .call_rcu = nf_tables_getrule,
5955 .attr_count = NFTA_RULE_MAX,
5956 .policy = nft_rule_policy,
5958 [NFT_MSG_DELRULE] = {
5959 .call_batch = nf_tables_delrule,
5960 .attr_count = NFTA_RULE_MAX,
5961 .policy = nft_rule_policy,
5963 [NFT_MSG_NEWSET] = {
5964 .call_batch = nf_tables_newset,
5965 .attr_count = NFTA_SET_MAX,
5966 .policy = nft_set_policy,
5968 [NFT_MSG_GETSET] = {
5969 .call_rcu = nf_tables_getset,
5970 .attr_count = NFTA_SET_MAX,
5971 .policy = nft_set_policy,
5973 [NFT_MSG_DELSET] = {
5974 .call_batch = nf_tables_delset,
5975 .attr_count = NFTA_SET_MAX,
5976 .policy = nft_set_policy,
5978 [NFT_MSG_NEWSETELEM] = {
5979 .call_batch = nf_tables_newsetelem,
5980 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5981 .policy = nft_set_elem_list_policy,
5983 [NFT_MSG_GETSETELEM] = {
5984 .call_rcu = nf_tables_getsetelem,
5985 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5986 .policy = nft_set_elem_list_policy,
5988 [NFT_MSG_DELSETELEM] = {
5989 .call_batch = nf_tables_delsetelem,
5990 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5991 .policy = nft_set_elem_list_policy,
5993 [NFT_MSG_GETGEN] = {
5994 .call_rcu = nf_tables_getgen,
5996 [NFT_MSG_NEWOBJ] = {
5997 .call_batch = nf_tables_newobj,
5998 .attr_count = NFTA_OBJ_MAX,
5999 .policy = nft_obj_policy,
6001 [NFT_MSG_GETOBJ] = {
6002 .call_rcu = nf_tables_getobj,
6003 .attr_count = NFTA_OBJ_MAX,
6004 .policy = nft_obj_policy,
6006 [NFT_MSG_DELOBJ] = {
6007 .call_batch = nf_tables_delobj,
6008 .attr_count = NFTA_OBJ_MAX,
6009 .policy = nft_obj_policy,
6011 [NFT_MSG_GETOBJ_RESET] = {
6012 .call_rcu = nf_tables_getobj,
6013 .attr_count = NFTA_OBJ_MAX,
6014 .policy = nft_obj_policy,
6016 [NFT_MSG_NEWFLOWTABLE] = {
6017 .call_batch = nf_tables_newflowtable,
6018 .attr_count = NFTA_FLOWTABLE_MAX,
6019 .policy = nft_flowtable_policy,
6021 [NFT_MSG_GETFLOWTABLE] = {
6022 .call_rcu = nf_tables_getflowtable,
6023 .attr_count = NFTA_FLOWTABLE_MAX,
6024 .policy = nft_flowtable_policy,
6026 [NFT_MSG_DELFLOWTABLE] = {
6027 .call_batch = nf_tables_delflowtable,
6028 .attr_count = NFTA_FLOWTABLE_MAX,
6029 .policy = nft_flowtable_policy,
6033 static int nf_tables_validate(struct net *net)
6035 struct nft_table *table;
6037 switch (net->nft.validate_state) {
6038 case NFT_VALIDATE_SKIP:
6040 case NFT_VALIDATE_NEED:
6041 nft_validate_state_update(net, NFT_VALIDATE_DO);
6043 case NFT_VALIDATE_DO:
6044 list_for_each_entry(table, &net->nft.tables, list) {
6045 if (nft_table_validate(net, table) < 0)
6054 static void nft_chain_commit_update(struct nft_trans *trans)
6056 struct nft_base_chain *basechain;
6058 if (nft_trans_chain_name(trans)) {
6059 rhltable_remove(&trans->ctx.table->chains_ht,
6060 &trans->ctx.chain->rhlhead,
6061 nft_chain_ht_params);
6062 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
6063 rhltable_insert_key(&trans->ctx.table->chains_ht,
6064 trans->ctx.chain->name,
6065 &trans->ctx.chain->rhlhead,
6066 nft_chain_ht_params);
6069 if (!nft_is_base_chain(trans->ctx.chain))
6072 basechain = nft_base_chain(trans->ctx.chain);
6073 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
6075 switch (nft_trans_chain_policy(trans)) {
6078 basechain->policy = nft_trans_chain_policy(trans);
6083 static void nft_commit_release(struct nft_trans *trans)
6085 switch (trans->msg_type) {
6086 case NFT_MSG_DELTABLE:
6087 nf_tables_table_destroy(&trans->ctx);
6089 case NFT_MSG_DELCHAIN:
6090 nf_tables_chain_destroy(&trans->ctx);
6092 case NFT_MSG_DELRULE:
6093 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6095 case NFT_MSG_DELSET:
6096 nft_set_destroy(nft_trans_set(trans));
6098 case NFT_MSG_DELSETELEM:
6099 nf_tables_set_elem_destroy(&trans->ctx,
6100 nft_trans_elem_set(trans),
6101 nft_trans_elem(trans).priv);
6103 case NFT_MSG_DELOBJ:
6104 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6106 case NFT_MSG_DELFLOWTABLE:
6107 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6113 static void nf_tables_commit_release(struct net *net)
6115 struct nft_trans *trans, *next;
6117 if (list_empty(&net->nft.commit_list))
6122 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6123 list_del(&trans->list);
6124 nft_commit_release(trans);
6128 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
6130 struct nft_rule *rule;
6131 unsigned int alloc = 0;
6134 /* already handled or inactive chain? */
6135 if (chain->rules_next || !nft_is_active_next(net, chain))
6138 rule = list_entry(&chain->rules, struct nft_rule, list);
6141 list_for_each_entry_continue(rule, &chain->rules, list) {
6142 if (nft_is_active_next(net, rule))
6146 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
6147 if (!chain->rules_next)
6150 list_for_each_entry_continue(rule, &chain->rules, list) {
6151 if (nft_is_active_next(net, rule))
6152 chain->rules_next[i++] = rule;
6155 chain->rules_next[i] = NULL;
6159 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
6161 struct nft_trans *trans, *next;
6163 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6164 struct nft_chain *chain = trans->ctx.chain;
6166 if (trans->msg_type == NFT_MSG_NEWRULE ||
6167 trans->msg_type == NFT_MSG_DELRULE) {
6168 kvfree(chain->rules_next);
6169 chain->rules_next = NULL;
6174 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
6176 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
6181 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
6183 struct nft_rule **r = rules;
6184 struct nft_rules_old *old;
6189 r++; /* rcu_head is after end marker */
6193 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
6196 static void nf_tables_commit_chain_active(struct net *net, struct nft_chain *chain)
6198 struct nft_rule **g0, **g1;
6201 next_genbit = nft_gencursor_next(net);
6203 g0 = rcu_dereference_protected(chain->rules_gen_0,
6204 lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
6205 g1 = rcu_dereference_protected(chain->rules_gen_1,
6206 lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
6208 /* No changes to this chain? */
6209 if (chain->rules_next == NULL) {
6210 /* chain had no change in last or next generation */
6214 * chain had no change in this generation; make sure next
6215 * one uses same rules as current generation.
6218 rcu_assign_pointer(chain->rules_gen_1, g0);
6219 nf_tables_commit_chain_free_rules_old(g1);
6221 rcu_assign_pointer(chain->rules_gen_0, g1);
6222 nf_tables_commit_chain_free_rules_old(g0);
6229 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
6231 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
6233 chain->rules_next = NULL;
6239 nf_tables_commit_chain_free_rules_old(g1);
6241 nf_tables_commit_chain_free_rules_old(g0);
6244 static void nft_chain_del(struct nft_chain *chain)
6246 struct nft_table *table = chain->table;
6248 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
6249 nft_chain_ht_params));
6250 list_del_rcu(&chain->list);
6253 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
6255 struct nft_trans *trans, *next;
6256 struct nft_trans_elem *te;
6257 struct nft_chain *chain;
6258 struct nft_table *table;
6260 /* 0. Validate ruleset, otherwise roll back for error reporting. */
6261 if (nf_tables_validate(net) < 0)
6264 /* 1. Allocate space for next generation rules_gen_X[] */
6265 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6268 if (trans->msg_type == NFT_MSG_NEWRULE ||
6269 trans->msg_type == NFT_MSG_DELRULE) {
6270 chain = trans->ctx.chain;
6272 ret = nf_tables_commit_chain_prepare(net, chain);
6274 nf_tables_commit_chain_prepare_cancel(net);
6280 /* step 2. Make rules_gen_X visible to packet path */
6281 list_for_each_entry(table, &net->nft.tables, list) {
6282 list_for_each_entry(chain, &table->chains, list) {
6283 if (!nft_is_active_next(net, chain))
6285 nf_tables_commit_chain_active(net, chain);
6290 * Bump generation counter, invalidate any dump in progress.
6291 * Cannot fail after this point.
6293 while (++net->nft.base_seq == 0);
6295 /* step 3. Start new generation, rules_gen_X now in use. */
6296 net->nft.gencursor = nft_gencursor_next(net);
6298 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6299 switch (trans->msg_type) {
6300 case NFT_MSG_NEWTABLE:
6301 if (nft_trans_table_update(trans)) {
6302 if (!nft_trans_table_enable(trans)) {
6303 nf_tables_table_disable(net,
6305 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6308 nft_clear(net, trans->ctx.table);
6310 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
6311 nft_trans_destroy(trans);
6313 case NFT_MSG_DELTABLE:
6314 list_del_rcu(&trans->ctx.table->list);
6315 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
6317 case NFT_MSG_NEWCHAIN:
6318 if (nft_trans_chain_update(trans))
6319 nft_chain_commit_update(trans);
6321 nft_clear(net, trans->ctx.chain);
6323 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6324 nft_trans_destroy(trans);
6326 case NFT_MSG_DELCHAIN:
6327 nft_chain_del(trans->ctx.chain);
6328 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
6329 nf_tables_unregister_hook(trans->ctx.net,
6333 case NFT_MSG_NEWRULE:
6334 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6335 nf_tables_rule_notify(&trans->ctx,
6336 nft_trans_rule(trans),
6338 nft_trans_destroy(trans);
6340 case NFT_MSG_DELRULE:
6341 list_del_rcu(&nft_trans_rule(trans)->list);
6342 nf_tables_rule_notify(&trans->ctx,
6343 nft_trans_rule(trans),
6346 case NFT_MSG_NEWSET:
6347 nft_clear(net, nft_trans_set(trans));
6348 /* This avoids hitting -EBUSY when deleting the table
6349 * from the transaction.
6351 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
6352 !list_empty(&nft_trans_set(trans)->bindings))
6353 trans->ctx.table->use--;
6355 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6356 NFT_MSG_NEWSET, GFP_KERNEL);
6357 nft_trans_destroy(trans);
6359 case NFT_MSG_DELSET:
6360 list_del_rcu(&nft_trans_set(trans)->list);
6361 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6362 NFT_MSG_DELSET, GFP_KERNEL);
6364 case NFT_MSG_NEWSETELEM:
6365 te = (struct nft_trans_elem *)trans->data;
6367 te->set->ops->activate(net, te->set, &te->elem);
6368 nf_tables_setelem_notify(&trans->ctx, te->set,
6370 NFT_MSG_NEWSETELEM, 0);
6371 nft_trans_destroy(trans);
6373 case NFT_MSG_DELSETELEM:
6374 te = (struct nft_trans_elem *)trans->data;
6376 nf_tables_setelem_notify(&trans->ctx, te->set,
6378 NFT_MSG_DELSETELEM, 0);
6379 te->set->ops->remove(net, te->set, &te->elem);
6380 atomic_dec(&te->set->nelems);
6383 case NFT_MSG_NEWOBJ:
6384 nft_clear(net, nft_trans_obj(trans));
6385 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6387 nft_trans_destroy(trans);
6389 case NFT_MSG_DELOBJ:
6390 list_del_rcu(&nft_trans_obj(trans)->list);
6391 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6394 case NFT_MSG_NEWFLOWTABLE:
6395 nft_clear(net, nft_trans_flowtable(trans));
6396 nf_tables_flowtable_notify(&trans->ctx,
6397 nft_trans_flowtable(trans),
6398 NFT_MSG_NEWFLOWTABLE);
6399 nft_trans_destroy(trans);
6401 case NFT_MSG_DELFLOWTABLE:
6402 list_del_rcu(&nft_trans_flowtable(trans)->list);
6403 nf_tables_flowtable_notify(&trans->ctx,
6404 nft_trans_flowtable(trans),
6405 NFT_MSG_DELFLOWTABLE);
6406 nft_unregister_flowtable_net_hooks(net,
6407 nft_trans_flowtable(trans));
6412 nf_tables_commit_release(net);
6413 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
6418 static void nf_tables_abort_release(struct nft_trans *trans)
6420 switch (trans->msg_type) {
6421 case NFT_MSG_NEWTABLE:
6422 nf_tables_table_destroy(&trans->ctx);
6424 case NFT_MSG_NEWCHAIN:
6425 nf_tables_chain_destroy(&trans->ctx);
6427 case NFT_MSG_NEWRULE:
6428 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6430 case NFT_MSG_NEWSET:
6431 nft_set_destroy(nft_trans_set(trans));
6433 case NFT_MSG_NEWSETELEM:
6434 nft_set_elem_destroy(nft_trans_elem_set(trans),
6435 nft_trans_elem(trans).priv, true);
6437 case NFT_MSG_NEWOBJ:
6438 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6440 case NFT_MSG_NEWFLOWTABLE:
6441 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6447 static int __nf_tables_abort(struct net *net)
6449 struct nft_trans *trans, *next;
6450 struct nft_trans_elem *te;
6452 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
6454 switch (trans->msg_type) {
6455 case NFT_MSG_NEWTABLE:
6456 if (nft_trans_table_update(trans)) {
6457 if (nft_trans_table_enable(trans)) {
6458 nf_tables_table_disable(net,
6460 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6462 nft_trans_destroy(trans);
6464 list_del_rcu(&trans->ctx.table->list);
6467 case NFT_MSG_DELTABLE:
6468 nft_clear(trans->ctx.net, trans->ctx.table);
6469 nft_trans_destroy(trans);
6471 case NFT_MSG_NEWCHAIN:
6472 if (nft_trans_chain_update(trans)) {
6473 free_percpu(nft_trans_chain_stats(trans));
6475 nft_trans_destroy(trans);
6477 trans->ctx.table->use--;
6478 nft_chain_del(trans->ctx.chain);
6479 nf_tables_unregister_hook(trans->ctx.net,
6484 case NFT_MSG_DELCHAIN:
6485 trans->ctx.table->use++;
6486 nft_clear(trans->ctx.net, trans->ctx.chain);
6487 nft_trans_destroy(trans);
6489 case NFT_MSG_NEWRULE:
6490 trans->ctx.chain->use--;
6491 list_del_rcu(&nft_trans_rule(trans)->list);
6492 nft_rule_expr_deactivate(&trans->ctx, nft_trans_rule(trans));
6494 case NFT_MSG_DELRULE:
6495 trans->ctx.chain->use++;
6496 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6497 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
6498 nft_trans_destroy(trans);
6500 case NFT_MSG_NEWSET:
6501 trans->ctx.table->use--;
6502 list_del_rcu(&nft_trans_set(trans)->list);
6504 case NFT_MSG_DELSET:
6505 trans->ctx.table->use++;
6506 nft_clear(trans->ctx.net, nft_trans_set(trans));
6507 nft_trans_destroy(trans);
6509 case NFT_MSG_NEWSETELEM:
6510 te = (struct nft_trans_elem *)trans->data;
6512 te->set->ops->remove(net, te->set, &te->elem);
6513 atomic_dec(&te->set->nelems);
6515 case NFT_MSG_DELSETELEM:
6516 te = (struct nft_trans_elem *)trans->data;
6518 nft_set_elem_activate(net, te->set, &te->elem);
6519 te->set->ops->activate(net, te->set, &te->elem);
6522 nft_trans_destroy(trans);
6524 case NFT_MSG_NEWOBJ:
6525 trans->ctx.table->use--;
6526 list_del_rcu(&nft_trans_obj(trans)->list);
6528 case NFT_MSG_DELOBJ:
6529 trans->ctx.table->use++;
6530 nft_clear(trans->ctx.net, nft_trans_obj(trans));
6531 nft_trans_destroy(trans);
6533 case NFT_MSG_NEWFLOWTABLE:
6534 trans->ctx.table->use--;
6535 list_del_rcu(&nft_trans_flowtable(trans)->list);
6536 nft_unregister_flowtable_net_hooks(net,
6537 nft_trans_flowtable(trans));
6539 case NFT_MSG_DELFLOWTABLE:
6540 trans->ctx.table->use++;
6541 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
6542 nft_trans_destroy(trans);
6549 list_for_each_entry_safe_reverse(trans, next,
6550 &net->nft.commit_list, list) {
6551 list_del(&trans->list);
6552 nf_tables_abort_release(trans);
6558 static void nf_tables_cleanup(struct net *net)
6560 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
6563 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
6565 return __nf_tables_abort(net);
6568 static bool nf_tables_valid_genid(struct net *net, u32 genid)
6570 return net->nft.base_seq == genid;
6573 static const struct nfnetlink_subsystem nf_tables_subsys = {
6574 .name = "nf_tables",
6575 .subsys_id = NFNL_SUBSYS_NFTABLES,
6576 .cb_count = NFT_MSG_MAX,
6578 .commit = nf_tables_commit,
6579 .abort = nf_tables_abort,
6580 .cleanup = nf_tables_cleanup,
6581 .valid_genid = nf_tables_valid_genid,
6584 int nft_chain_validate_dependency(const struct nft_chain *chain,
6585 enum nft_chain_types type)
6587 const struct nft_base_chain *basechain;
6589 if (nft_is_base_chain(chain)) {
6590 basechain = nft_base_chain(chain);
6591 if (basechain->type->type != type)
6596 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
6598 int nft_chain_validate_hooks(const struct nft_chain *chain,
6599 unsigned int hook_flags)
6601 struct nft_base_chain *basechain;
6603 if (nft_is_base_chain(chain)) {
6604 basechain = nft_base_chain(chain);
6606 if ((1 << basechain->ops.hooknum) & hook_flags)
6614 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
6617 * Loop detection - walk through the ruleset beginning at the destination chain
6618 * of a new jump until either the source chain is reached (loop) or all
6619 * reachable chains have been traversed.
6621 * The loop check is performed whenever a new jump verdict is added to an
6622 * expression or verdict map or a verdict map is bound to a new chain.
6625 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6626 const struct nft_chain *chain);
6628 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
6629 struct nft_set *set,
6630 const struct nft_set_iter *iter,
6631 struct nft_set_elem *elem)
6633 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6634 const struct nft_data *data;
6636 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6637 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
6640 data = nft_set_ext_data(ext);
6641 switch (data->verdict.code) {
6644 return nf_tables_check_loops(ctx, data->verdict.chain);
6650 static int nf_tables_check_loops(const struct nft_ctx *ctx,
6651 const struct nft_chain *chain)
6653 const struct nft_rule *rule;
6654 const struct nft_expr *expr, *last;
6655 struct nft_set *set;
6656 struct nft_set_binding *binding;
6657 struct nft_set_iter iter;
6659 if (ctx->chain == chain)
6662 list_for_each_entry(rule, &chain->rules, list) {
6663 nft_rule_for_each_expr(expr, last, rule) {
6664 struct nft_immediate_expr *priv;
6665 const struct nft_data *data;
6668 if (strcmp(expr->ops->type->name, "immediate"))
6671 priv = nft_expr_priv(expr);
6672 if (priv->dreg != NFT_REG_VERDICT)
6676 switch (data->verdict.code) {
6679 err = nf_tables_check_loops(ctx,
6680 data->verdict.chain);
6689 list_for_each_entry(set, &ctx->table->sets, list) {
6690 if (!nft_is_active_next(ctx->net, set))
6692 if (!(set->flags & NFT_SET_MAP) ||
6693 set->dtype != NFT_DATA_VERDICT)
6696 list_for_each_entry(binding, &set->bindings, list) {
6697 if (!(binding->flags & NFT_SET_MAP) ||
6698 binding->chain != chain)
6701 iter.genmask = nft_genmask_next(ctx->net);
6705 iter.fn = nf_tables_loop_check_setelem;
6707 set->ops->walk(ctx, set, &iter);
6717 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
6719 * @attr: netlink attribute to fetch value from
6720 * @max: maximum value to be stored in dest
6721 * @dest: pointer to the variable
6723 * Parse, check and store a given u32 netlink attribute into variable.
6724 * This function returns -ERANGE if the value goes over maximum value.
6725 * Otherwise a 0 is returned and the attribute value is stored in the
6726 * destination variable.
6728 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
6732 val = ntohl(nla_get_be32(attr));
6739 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
6742 * nft_parse_register - parse a register value from a netlink attribute
6744 * @attr: netlink attribute
6746 * Parse and translate a register value from a netlink attribute.
6747 * Registers used to be 128 bit wide, these register numbers will be
6748 * mapped to the corresponding 32 bit register numbers.
6750 unsigned int nft_parse_register(const struct nlattr *attr)
6754 reg = ntohl(nla_get_be32(attr));
6756 case NFT_REG_VERDICT...NFT_REG_4:
6757 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
6759 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
6762 EXPORT_SYMBOL_GPL(nft_parse_register);
6765 * nft_dump_register - dump a register value to a netlink attribute
6767 * @skb: socket buffer
6768 * @attr: attribute number
6769 * @reg: register number
6771 * Construct a netlink attribute containing the register number. For
6772 * compatibility reasons, register numbers being a multiple of 4 are
6773 * translated to the corresponding 128 bit register numbers.
6775 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
6777 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
6778 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
6780 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
6782 return nla_put_be32(skb, attr, htonl(reg));
6784 EXPORT_SYMBOL_GPL(nft_dump_register);
6787 * nft_validate_register_load - validate a load from a register
6789 * @reg: the register number
6790 * @len: the length of the data
6792 * Validate that the input register is one of the general purpose
6793 * registers and that the length of the load is within the bounds.
6795 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
6797 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6801 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
6806 EXPORT_SYMBOL_GPL(nft_validate_register_load);
6809 * nft_validate_register_store - validate an expressions' register store
6811 * @ctx: context of the expression performing the load
6812 * @reg: the destination register number
6813 * @data: the data to load
6814 * @type: the data type
6815 * @len: the length of the data
6817 * Validate that a data load uses the appropriate data type for
6818 * the destination register and the length is within the bounds.
6819 * A value of NULL for the data means that its runtime gathered
6822 int nft_validate_register_store(const struct nft_ctx *ctx,
6823 enum nft_registers reg,
6824 const struct nft_data *data,
6825 enum nft_data_types type, unsigned int len)
6830 case NFT_REG_VERDICT:
6831 if (type != NFT_DATA_VERDICT)
6835 (data->verdict.code == NFT_GOTO ||
6836 data->verdict.code == NFT_JUMP)) {
6837 err = nf_tables_check_loops(ctx, data->verdict.chain);
6841 if (ctx->chain->level + 1 >
6842 data->verdict.chain->level) {
6843 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
6845 data->verdict.chain->level = ctx->chain->level + 1;
6851 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
6855 if (reg * NFT_REG32_SIZE + len >
6856 FIELD_SIZEOF(struct nft_regs, data))
6859 if (data != NULL && type != NFT_DATA_VALUE)
6864 EXPORT_SYMBOL_GPL(nft_validate_register_store);
6866 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
6867 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
6868 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
6869 .len = NFT_CHAIN_MAXNAMELEN - 1 },
6872 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
6873 struct nft_data_desc *desc, const struct nlattr *nla)
6875 u8 genmask = nft_genmask_next(ctx->net);
6876 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
6877 struct nft_chain *chain;
6880 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
6885 if (!tb[NFTA_VERDICT_CODE])
6887 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
6889 switch (data->verdict.code) {
6891 switch (data->verdict.code & NF_VERDICT_MASK) {
6906 if (!tb[NFTA_VERDICT_CHAIN])
6908 chain = nft_chain_lookup(ctx->table, tb[NFTA_VERDICT_CHAIN],
6911 return PTR_ERR(chain);
6912 if (nft_is_base_chain(chain))
6916 data->verdict.chain = chain;
6920 desc->len = sizeof(data->verdict);
6921 desc->type = NFT_DATA_VERDICT;
6925 static void nft_verdict_uninit(const struct nft_data *data)
6927 switch (data->verdict.code) {
6930 data->verdict.chain->use--;
6935 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
6937 struct nlattr *nest;
6939 nest = nla_nest_start(skb, type);
6941 goto nla_put_failure;
6943 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
6944 goto nla_put_failure;
6949 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
6951 goto nla_put_failure;
6953 nla_nest_end(skb, nest);
6960 static int nft_value_init(const struct nft_ctx *ctx,
6961 struct nft_data *data, unsigned int size,
6962 struct nft_data_desc *desc, const struct nlattr *nla)
6972 nla_memcpy(data->data, nla, len);
6973 desc->type = NFT_DATA_VALUE;
6978 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
6981 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
6984 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
6985 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
6986 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
6990 * nft_data_init - parse nf_tables data netlink attributes
6992 * @ctx: context of the expression using the data
6993 * @data: destination struct nft_data
6994 * @size: maximum data length
6995 * @desc: data description
6996 * @nla: netlink attribute containing data
6998 * Parse the netlink data attributes and initialize a struct nft_data.
6999 * The type and length of data are returned in the data description.
7001 * The caller can indicate that it only wants to accept data of type
7002 * NFT_DATA_VALUE by passing NULL for the ctx argument.
7004 int nft_data_init(const struct nft_ctx *ctx,
7005 struct nft_data *data, unsigned int size,
7006 struct nft_data_desc *desc, const struct nlattr *nla)
7008 struct nlattr *tb[NFTA_DATA_MAX + 1];
7011 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
7015 if (tb[NFTA_DATA_VALUE])
7016 return nft_value_init(ctx, data, size, desc,
7017 tb[NFTA_DATA_VALUE]);
7018 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
7019 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
7022 EXPORT_SYMBOL_GPL(nft_data_init);
7025 * nft_data_release - release a nft_data item
7027 * @data: struct nft_data to release
7028 * @type: type of data
7030 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7031 * all others need to be released by calling this function.
7033 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
7035 if (type < NFT_DATA_VERDICT)
7038 case NFT_DATA_VERDICT:
7039 return nft_verdict_uninit(data);
7044 EXPORT_SYMBOL_GPL(nft_data_release);
7046 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
7047 enum nft_data_types type, unsigned int len)
7049 struct nlattr *nest;
7052 nest = nla_nest_start(skb, attr);
7057 case NFT_DATA_VALUE:
7058 err = nft_value_dump(skb, data, len);
7060 case NFT_DATA_VERDICT:
7061 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
7068 nla_nest_end(skb, nest);
7071 EXPORT_SYMBOL_GPL(nft_data_dump);
7073 int __nft_release_basechain(struct nft_ctx *ctx)
7075 struct nft_rule *rule, *nr;
7077 BUG_ON(!nft_is_base_chain(ctx->chain));
7079 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
7080 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
7081 list_del(&rule->list);
7083 nf_tables_rule_release(ctx, rule);
7085 nft_chain_del(ctx->chain);
7087 nf_tables_chain_destroy(ctx);
7091 EXPORT_SYMBOL_GPL(__nft_release_basechain);
7093 static void __nft_release_tables(struct net *net)
7095 struct nft_flowtable *flowtable, *nf;
7096 struct nft_table *table, *nt;
7097 struct nft_chain *chain, *nc;
7098 struct nft_object *obj, *ne;
7099 struct nft_rule *rule, *nr;
7100 struct nft_set *set, *ns;
7101 struct nft_ctx ctx = {
7103 .family = NFPROTO_NETDEV,
7106 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
7107 ctx.family = table->family;
7109 list_for_each_entry(chain, &table->chains, list)
7110 nf_tables_unregister_hook(net, table, chain);
7111 list_for_each_entry(flowtable, &table->flowtables, list)
7112 nf_unregister_net_hooks(net, flowtable->ops,
7113 flowtable->ops_len);
7114 /* No packets are walking on these chains anymore. */
7116 list_for_each_entry(chain, &table->chains, list) {
7118 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
7119 list_del(&rule->list);
7121 nf_tables_rule_release(&ctx, rule);
7124 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
7125 list_del(&flowtable->list);
7127 nf_tables_flowtable_destroy(flowtable);
7129 list_for_each_entry_safe(set, ns, &table->sets, list) {
7130 list_del(&set->list);
7132 nft_set_destroy(set);
7134 list_for_each_entry_safe(obj, ne, &table->objects, list) {
7135 list_del(&obj->list);
7137 nft_obj_destroy(&ctx, obj);
7139 list_for_each_entry_safe(chain, nc, &table->chains, list) {
7141 nft_chain_del(chain);
7143 nf_tables_chain_destroy(&ctx);
7145 list_del(&table->list);
7146 nf_tables_table_destroy(&ctx);
7150 static int __net_init nf_tables_init_net(struct net *net)
7152 INIT_LIST_HEAD(&net->nft.tables);
7153 INIT_LIST_HEAD(&net->nft.commit_list);
7154 net->nft.base_seq = 1;
7155 net->nft.validate_state = NFT_VALIDATE_SKIP;
7160 static void __net_exit nf_tables_exit_net(struct net *net)
7162 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7163 if (!list_empty(&net->nft.commit_list))
7164 __nf_tables_abort(net);
7165 __nft_release_tables(net);
7166 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7167 WARN_ON_ONCE(!list_empty(&net->nft.tables));
7170 static struct pernet_operations nf_tables_net_ops = {
7171 .init = nf_tables_init_net,
7172 .exit = nf_tables_exit_net,
7175 static int __init nf_tables_module_init(void)
7179 nft_chain_filter_init();
7181 info = kmalloc_array(NFT_RULE_MAXEXPRS, sizeof(struct nft_expr_info),
7188 err = nf_tables_core_module_init();
7192 err = nfnetlink_subsys_register(&nf_tables_subsys);
7196 register_netdevice_notifier(&nf_tables_flowtable_notifier);
7198 return register_pernet_subsys(&nf_tables_net_ops);
7200 nf_tables_core_module_exit();
7207 static void __exit nf_tables_module_exit(void)
7209 nfnetlink_subsys_unregister(&nf_tables_subsys);
7210 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7211 nft_chain_filter_fini();
7212 unregister_pernet_subsys(&nf_tables_net_ops);
7214 nf_tables_core_module_exit();
7218 module_init(nf_tables_module_init);
7219 module_exit(nf_tables_module_exit);
7221 MODULE_LICENSE("GPL");
7222 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
7223 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
git.samba.org / sfrench / cifs-2.6.git / blob